#setuptools

Should old distutils stuff like https://github.com/pypa/setuptools/blob/main/setuptools/_distutils/command/bdist_rpm.py be considered unstable/deprecated?

My understand is yes.

Setuptools is trying to get out of the business of "do everything about packaging" to "be a pyproject.toml based backend with a setup.py file".

(as I understand it anyway)

P Ganssle's post even says that, although he likely used much better words.

just wanted to confirm as I'm switching Django away from setup.py and a triager asked me to post on their mailing list b/c they had a python setup.py bdist_rpm script which I think is unused

https://groups.google.com/g/django-developers/c/_bublVB5dcw

There are also multiple tools to create RPM either from wheel or the source tree, Red Hat also was/is working on a new tool to create RPMs for their Python packages. They can also switch to one of those if RPM is really needed.

bdist_rpm is no longer supported by PyPI (along with some other old formats):
https://github.com/pypi/warehouse/issues/6792
https://peps.python.org/pep-0527/#bdist-rpm

and is deprecated in setuptools itself:
https://github.com/pypa/setuptools/issues/1988
https://github.com/pypa/setuptools/blob/main/setuptools/command/bdist_rpm.py

hi all - does pkg_resources pull latest information from repositories like pypi or is it only an interface to what is locally currently known about packages?
(i want to check the version of a package and see if it is outdated, so i need to know if i should bother using the pypi api or just use pkg_resources 🙂)

It is only an interface to query locally installed packages (and a disfavoured one—you should use importlib.metadata instead)

packaging isn't discouraged, right?

It’s not, but its feature set is discrete to importlib.metadata (pkg_resources actually depends on packaging internally)

I know it's discrete to importlib.metadata which is why I ask since some of the stuff pkg_resources exposes is available in packaging

Cheers!

Those pkg_resources expose are mostly copied/backported from packaging! packaging + importlib.metadata is the intended successor combo to pkg_resources

Any pointers on who are the best folks to reach out to, regarding a security report in setuptools?

@dreamy urchin see ☝🏻

setuptools 64.0, exciting!

(not out yet)

(but incredibly close)

(CI takes time :P)

I am anxiously waiting for the backlash 🤣

mr runner, please pick up the job!

What’s new?

pep660 editable installs

and [insert the rest of the changelog]

but mostly editable installs

there's a strictness option for the editable installs, I'm not sure if that's new

seems to be new, yeah

aaand, it's here

I am a very verbose person it seems

I promote changelog reading :)

(But I am indeed verbose 😛
Well, better to fail for the excess of information than the lack)

🎉

@dreamy urchin Thank you for all the work you have done on this. ❤️

But more verbose than me though?

It's not a competition. :P

No, its a CAMpetition

...I'll go now

I needed that, I'm currently head deep debugging a bug caused by runtime monkeypatching and I'm losing my mind

oh goodness sake of course it's caused by mypyc

gahhh, mypyc compiles imports in functions as if they existed in the module scope, polluting globals >.< ... OK I'll go now.

Only two pip tests failing with setuptools 64. Could have been worse 😅. I was worried the pip test suite was more dependent on legacy editable installs.

Would only having two tests total for editable installs count as being "not too dependent" on them? /s 😆

😔

https://github.com/pypa/setuptools/issues/3518

The solution proposed by Bernart in the email thread seems very reasonable (having an additional json file listing the package/module locations). There seems to be some level of consensus at least on the packaging side, but we would need the buy-in from the static analysis tool side.

At the risk of complicating the installation logic further have you considered using symlinks for lax installs like you do for strict? At least then only Windows users will have to suffer and who cares about them ;)

I do, and so do many other people. For example, most students only have access to a Windows machine, especially at school.

Treating the most popular consumer OS as a second class citizen is... something I'd hoped we'd learnt as a community to stop doing for the sake of it.

We'd be selecting a different installation method based on the operating system's capabilities. I'm not suggesting that the existing method is removed

I don't need to be lectured on the importance of Windows for a comment I obviously made in jest

I have considered trying symlinks when possible, but then I dismissed the idea because I am very weary of the complexity of the code...

(Side note, strict install should work on Windows because it falls back to hard links... but hard links don't work with directories)

Another side note: a downside of using a link farm is that we currently don't have a interface to talk to users "Please be careful to not delete the directory X". I tried to use warnings but they are supressed by pip 😜

Do we need a pep517 extension to let backend communicate warnings to frontend?

I would very much be looking for something like that

In the lastest implementation, I added a series of warnings talking about the limitations of each method + this one about not deleting the directory that contains the link farm

https://github.com/pypa/packaging-problems/issues/558

We might want to yank the latest setuptools, the editable issue is affecting quite a few people doing namespace packages

Hi @river oak, I encourage anyone facing problems to create a reproducer in the setuptools issues.

I agree that pkgutil/pkg_resources-namespaces can be tricky to handle for flat-layout projects. But the implementation offers many tweaks that can be made for those to work (editable-mode=strict, editable-mode=compat, SETUPTOOLS_ENABLE_FEATURES="legacy-editable").
PEP 420 namespaces should work out of the box.

The implementation using import hooks for flat-layouts is meant to be a compromise solution between the 2 distinct views discussed in the context of PEP 660. The minimal guarantee this implementation seeks is to prevent spurious files/packages/modules to end up in sys.path, which I believe many people in the community agree to be a flawed behaviour.

The implementation also allows us to fix historical issues with custom package_dir mapping.

oof Airflow's setup.py looks very complex

Implementations tend to grow complex with time. Any backend that supports extensions can be used to refactor (which includes setuptools). Documentation on custom build steps can be found at https://setuptools.pypa.io/en/latest/userguide/extension.html.

80% of that is just combining extras into other extras (the logic far predates pip’s resolver so it needed to flatten those extras to make things work)

I've got a _core.so (generated) & _core/__init__.pyi; setuptools is complaining about _core not being found with packages = find: and that it will be removed from package data soon. I don't think I want to add __init__.py, since it's only there for type info about the compiled file.

Should __init__.pyi modules also be found like a package?

That sounds very reasonable. I might try to have a look on that over the weekend (sorry I got very busy this week).

I am curious: is the _core package top-level? (I understand that you don't have a _core.pyi because otherwise it would not be included as package_data...)

Nope, not top level, it's boost_histogram._core, which has submodules built-in, so there are several _core/*.pyi files - even one _core/axis/*.pyi folder too.

I see, that makes sense :)

I wish I could shake the hand of whoever did the editable install machinery in 65.x -- this is amazing. My org has a super large monorepo namespace package that was impossible to make editable the old way, and this is about to make our development loop MUCH more enjoyable

I guess I just wanted to come here and say thank you x 1000 😅

A setup.cfg question.

I'm trying to find a way to define dependencies between libraries living in a monorepo as installable source directories. I finally found a way to do it with https://peps.python.org/pep-0440/#direct-references e.g.:

./lib/
    foo/
    moo/ # depends on foo can have the following in install_requires

f"my_package @ file://localhost/{path_to_foo}#egg=foo

• egg is probably not needed
• and path_to_foo is an installable source directory

It appears however that this wants an absolute path, and if I'm using setup.cfg there's no way to construct such path using cwd or os.environ.

❓❓❓
Do you know if this must be an absolutely path?
Do you know if there are ways to achieve dynamic path using declarative config?

CC: @nimble bridge

After reading through the first 3 pages in Google and some of setuptools code I conclude that this isn't possible. String interpolation is done via configparser.ConfigParser and there's no way I can see for env variables to be injected. Sadly I may have to go back to using setup.py 🙂

#egg=whatever is definitely not needed. This is an alternative syntax before the name @ url form was standardised, and is ignored in the form you mentioned.
The path must be absolute. The standard package metadata does not allow relative paths or environment variable expansion in package specification.
Various workflow tools support referring to a relative path with various tool-specific syntaxes, but you can’t do this in setup.cfg

Thank you for confirming this!

@tiny mountain Hatch supports that https://hatch.pypa.io/latest/config/dependency/#local

is PEP 685 implemented?

https://github.com/pypa/setuptools/issues/3586

Since [tool.setuptools] table is still in beta, should I prefer using setup.py for configuration such as license_files, options.packages, and options.packages.find to avoid releasing an sdist that could in future not be buildable?

And second thing, I noticed thatinclude_package_data now defaults to True, is that specific to projects that migrated to using PEP 621 pyproject.toml or all projects? And can I rely on this staying the new default if I use pyproject.toml?

hmm I do also wonder, does setuptools support having all 3 files at the same time

lol

what are your licence files called? if they match any of LICEN[CS]E*, COPYING*, NOTICE*, and AUTHORS then setuptools will automatically add them and you can skip license_files altogether https://setuptools.pypa.io/en/latest/references/keywords.html?highlight=license_files#keywords

I think you can indeed have all three files, but it will only read the info from one file. I'm not sure in which order

does that work recursively

actually nevermind

wouldn't work for me either way

I distribute a license for a vendored dependency using a name project-name.LICENSE (which is actually why I added license_files field instead of relying on the default as I did before)

You can mix and match pyproject.toml and setup.py (requires you to set dynamic in pyproject.toml) or setup.cfg and setup.py so I was wondering if I could also mix and match all 3 together

in case of setup.cfg, setup.py takes precedence if both set the same field

in case of pyproject.toml it's simply not possible to set in both since you have to declare it as dynamic field

So if mixing all 3 together worked, I would expect to need to use dynamic for any field set in setup.cfg or setup.py and for any set in both setup.cfg and setup.py it would just use the same precedence as without pyproject.toml

but yeah, I don't know if it does and whether it's supposed to 😄

Hmm, I'm now not even sure that using license_files in setup.py would save me as once it becomes part of [project] table, me using it in setup.py means that it would at some point probably start erroring out due to not being specified in dynamic field.

i'm working with some colleagues on reliably rebuilding wheels for a bunch of PyPI packages, and we just realized that setuptools' --py-limited-api only controls the filename of the generated wheel, and doesn't actually enforce that the underlying build is abi3 compatible with whichever Python version is passed into the flag. is that behavior documented anywhere?

(i see it mentioned in the changelog here: https://setuptools.pypa.io/en/latest/history.html?highlight=py_limited_api#v25-4-0, but i'm curious if it's also mentioned anywhere more visible)

Is there a way to pass custom setup keyword arguments via setup.cfg or pyproject.toml? Plugins can add custom keyword arguments, but don't see a way to pass them except via setup(), so just curious.

It seems like a very tried-and-true design pattern for packages + package-data somehow became deprecated:

setup.py
my_package/
  __init__.py
  __main__.py
  ...
  data/
    subdir1/
      data1.yaml
      data2.yaml
    subdir2/
      data3.yaml
      data4.yaml

There's a new warning about my_package.data.subdir1 is deprecated as "data" and should be listed in "packages".

What? Why should something that's not a package be listed in packages? What's the advice about "package namespace search" to discover these directories and list them as packages? (possible relevant discussion : https://github.com/pypa/setuptools/discussions/3323)

@dreamy urchin ^

@patent lotus please refer to the discussion in https://github.com/pypa/setuptools/issues/3340

The pattern is not deprecated, but in the light of Python's behavior since PEP 420, the configuration needs to be adapted to eliminate ambiguity

copy, thanks for the link 🙂

Still thinking about ways to host multiple libraries under the same namespace in the same monorepo.
Just wanted to bounce ideas, and get feedback from the gururs of setuptools 🙂
I want to use package_dir={'': '$MONOREPO_ROOT'} to host all libraries under the same folder structure:

$MONOREPO_ROOT:
company/
    lib/ 
        foo/
            setup.py # package/import names are company.lib.foo
        moo/
            setup.py # package/import names are company.lib.moo

Each setup.py would use package_dir to point at the very top of the hierarchy and would only include its own subfolders. Do you see issues with this? Have you seen this done before? I'm not sure how I would express dependencies between libraries using this schema.

Apparently it is not possible to use an extra to pin dependencies, I tried and ended up raising a bug https://github.com/pypa/setuptools/issues/3740

https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html#setuptools-specific-configuration

if I understand correctly, script-files installs a script file to .data/scripts`, right?

if that's the case, why is that deprecated?

Isn't that because the preferred approach for a long time has been to use a console_scripts entrypoint instead, with the business logic inside the package (like with data_files vs. package_data? Or is there something I'm missing here?

yes, but if you want to include other kind of scripts, console entrypoints are not great

You mean like non-Python scripts?

yeah

Ah, I see. Do any other non-Setuptools build backends support that?

we support it in meson-python

IIRC, setuptools also checks the shebang line so the script must be a plain text file.

I tried putting a binary executable in that field(or scripts= in setup() function) in my project but it doesn't work

gotcha

@lusty dome Any thoughts on whether pkg_resources/setuptools could migrate to platformdirs instead of using + vendoring appdirs?

Actually, there's a different idea as well, described here: https://github.com/pypa/pip/pull/11689#issuecomment-1375668571

Yes. I've only become aware of platformdirs recently. It would still need to be vendored.

I'm hoping to dive into setuptools issues tomorrow.

I responded in that issue. I hope my tone is "matter of fact" and not hostile. I expressed some preferences/perspective, but am legitimately okay with whatever direction the pip maintainers wish to take.

Thanks for your responses! ❤️

I don't have time right now to write fully polished replies right now. 😅

But I've written some scrappy replies that I've not tried to polish the language of, so please don't take those as strong opinions or whatnot.

I was looking at this PR I was at-mentioned on, which I think will fix the imp removal blocker for Python 3.12: https://github.com/pypa/setuptools/pull/3685

As mentioned in my comment, I see a bunch of failures from tox, but it's also unclear to me how I can create a local whl from this branch to drop in and try on my CPython branch. The setuptools dev guide doesn't explain that process. Does only @lusty dome know how that works?

I'd half expect standard build tools to work. Does build not do that? Actually, looks like pip wheel git+https://github.com/abravalheri/setuptools@issue-3631 does the trick.

And of course, if you don't actually need a wheel, just pip install the same target.

Yeah, I guess I was looking for something codified in the tox.ini. I do need a wheel because I want to try to drop it into my "imp module removal" CPython branch and see if that unblocks that PR.

i was switching over an old extension module at work to use build instead of pip wheel, but it broke rather mysteriously

after a while, i was able to track down the problem to a bug in the setup.py script that got exposed when __file__ was a relative path instead of an absolute one

relative path when built via build: https://github.com/pypa/setuptools/blob/245da5441248eeb2d575034d04cbc241bf545161/setuptools/build_meta.py#L329
absolute path when built via pip wheel:
https://github.com/pypa/pip/blob/21752556f1e8353dc6eec2d9154522eda950c27c/src/pip/_internal/utils/setuptools_build.py#L32 https://github.com/pypa/pip/blob/fe9e63e58df51bc6aa4ff6b3844c2da58f72cf77/src/pip/_internal/req/req_install.py#L453

yes, this was a bug in the setup.py script and it was using the legacy setuptools build ... but maybe setuptools should be setting __file__ to an abspath, given that most __file__ are abspath?

PR here https://github.com/pypa/setuptools/pull/3795

@lusty dome ran into this lovely issue https://github.com/pypa/setuptools/issues/3797

So... I'm looking at the packaging failure and wondering: can we have hashcmp not attempt to parse the version, and use the raw string?

That would avoid the pkg_resources's resolve from trying to parse invalid versions in the environment while scanning, IIUC.

Assuming the string is normalised, probably

does anyone know the answer to this? https://github.com/pypa/setuptools/issues/3659#issuecomment-1315320204

encountered an interesting bug today 🙂 https://github.com/pypa/setuptools/issues/3808

History: The setuptools implementation predates Core Metadata, and the latter was intended as a formalised iteration of setuptools’s metadata “format” (it was just a key: value storage without any formal specification). But since the standard looks so much like the original, the implementation in pkg_resources was never updated

Oh actually I’m wrong, the old format did have a backing specification and it was based on RFC 822. (The part where implementation was reused and never changed is correct, I think)

lol

folding in RFC 822

it does not surprise me that caused a bug somewhere, though I am surprised somethign emitted that METADATA

when I was looking before I didn't see anything that actually folded long lines I thought

though maybe my memory is just bad

I remember folding was a problem back when Description was emitted as a field by some tools (setuptools?) instead of the message body

But very few people really care reading Description so the disturbance was minimal

it's problematic because you can't actually unfold Description

except one of the PEPs implemented a different folding mechanism than RFC822

https://giphy.com/gifs/dumpster-fire-floating-853jNve3ljqrYrcSOK

the thing that emitted that METADATA was my own tool https://github.com/hauntsaninja/change_wheel_version i assumed from reading the spec page that using email.parser.BytesParser(policy=email.policy.compat32).as_bytes() to write out METADATA would be kosher

Ah

I think your METADATA is valid FWIW

I was just surprised because I thought I knew all of the oddball behaviors of the various main tooling, and assumed it was one of those

while it is an interesting bug, when you have a version string that long, I think the problem is not in the tool 🤣

Technically the bug exists regardless of the length of the version string, because RFC822 doesn't require folding in any case, so you can fold for a one character version number and that's valid

the use case at work is valid. we want to include git branch name, commit and versions of some build deps (like cuda version) in the wheel's local version. (only mentioning since there's a sort of worrisome trend in python packaging to roll eyes at long tail use cases)

As a German, this is my constant struggle. When I talk in (what is in German) sober and factual language, American ears sometimes interpret it as unfriendly lol.

This has always fascinated me, once I realized what was going on. There must be something about German sentence structure that, when English is templated into it, comes across as aggressively blunt.

In Poland we sometimes joke that "I love you" in German can sound like "shoot to kill" order

Oh, huh...it's not just English, then?

yeah probably (I think we should go to #off-topic if we want to continue this topic)

Wow

it looks when doing an editable install for some package, setuptools will remove random other things from easy-install.pth if they happen to be on PYTHONPATH

is this a bug?

aha, i think it's https://github.com/pypa/setuptools/issues/1005

whats the correct way in setuptools to have a importable backend helper, it seems to me like i need to import whats in build_meta + add own attributes to make things work (all i really want to do is add a version attribute in setuptools_scm )

@dreamy urchin is there any way to tell setuptools that an extension depends on the specific interpreter version?

basically I want to pin the interpreter version, eg. if CPython 3.11.2 is being used to build, set CPython 3.11.2 as a requirement

I am trying to make Cython correctly set the interpreter dependency when it uses the CPython private API

Hi Filipe, not sure if I understood the question right, but here it goes... The part of setuptools that builds C-extensions is still something I don’t understand completely, but as far as I know, setuptools requires python_requires (or requires-python for pyproject.toml) to be specified at distribution level, and there is no method for "feedbacking" it from ext_modules.

Maybe you could do something using the setuptools.finalize_distribution_options hook to set python_requires? (https://setuptools.pypa.io/en/latest/userguide/extension.html#customizing-distribution-options)

(Or if you just want to use for single package, tlyou could try calculating python_requires in your setup.py).

Sorry Ronny, just seing your message now. Don't setup.py work for you in order to define version?

i'm trying to completely get rid of the file to avoid old/broken setuptools, it seems that i have to import all of the build backend of setuptools to a own build backend file to enable that

https://github.com/pypa/setuptools_scm/blob/main/scm_hack_build_backend.py

in combination with https://github.com/pypa/setuptools_scm/blob/main/pyproject.toml#L105 works

but its ugly

Ok, yes, if you want to completely obliterate setup.py that makes sense.

Yeah, sorry, I don't think I have a better answer than the approach you are doing for the time being.

In the long run, I really want to make it possible to allow customizations to be loaded directly from the pyproject.toml spec as "in-repo" plugins.

similar to hatch custom plugins?

I admit I don’t know a lot about how hatch works internally :’)
What I had in mind is just to re-use the same kind of entry-points that setuptools already has defined (e.g. setuptools.finalize_distribution_option) but exposing it in a way that it can be used directly from the project itself without requiring an installation to expose entry-points.

Reminds me, it would be nice if there was a general import meta hook that provided Metadata from pyproject.toml to editable installs

@dreamy urchin can setuptools be made to only consider entrypoints from build requirements when using pyproject.toml
In particular when using extras

Setuptools_scm file finders needs a way to opt out /in

yep, I think finalize_distribution_options is exactly what I need

but it turns out the Cython situation is more complicated...

I am afraid I don't have a solution for that in mind 😓 . Would you like to propose a low-level design/implementation strategy?

oh, ouch 😔

currently setup-tools considers all available entry-points and plugins, i'd like to be able to opt in/out of some of them

so that for example if setuptools-scm declares a file-finder hook with the extra find-files, setuptools would only consider it if that extra is asked for in pyproject.toml as well

aka

[build]
requires = ["setuptools-scm[find-files]"]

would be required to make it consider the plugin entry-point

smc-files = "the:name[find-files]"

that sounds very challenging, specially because there is no built-in support in importlib-metadata and pip for handling/filtering the extras part in the entry-point specification grammar (as far as I know).

But just because I don't have a clue on how to start supporting that, it does not mean it is impossible...

it has quite a few pitfalls

do any maintainers here have opinions on this? https://github.com/Supervisor/supervisor/pull/1578#issuecomment-1452617275

if you feel strongly about it but not ready to use the word deprecated, it would be very helpful if an actual maintainer commented "don't use that"

for context, at work we are trying to remove runtime dependence on setuptools and this is the very last transitive dependency that uses it...

@dreamy urchin @lusty dome I think the two maintainers that could chip in

Might want to check if they would be OK with hiding this in a internal module that makes setuptools unnecessarily on py39+

My personal opinion is that importlib.metadata is a better and faster way of dealing with entry-points. But I think we are only going to officially deprecate pkg_resources usage directly a setuptools installation once we find out a way of untangling the codebases... (Maybe Jason has other ideas about). I am not sure if the plan after that is to ressurect pypa/pkg_resources and distribute it independently from setuptools.

given that egg based installs are going out and pep517 based go in, the workingset features seem no longer needed

it may be a blessing to actually deprecate it and not planning to resurrect

@dreamy urchin would you be comfortable adding a comment there, as a maintainer, saying that? even though I'm involved in packaging and know our plan, that person does not really know that and it would appear to an outsider that since I am not a setuptools maintainer I lack context

Hi @robust yarrow, let's see if Jason has other plans. Otherwise I am happy to share my toughts directly on the linked issue.

One way to eliminate the complexity and conditionality is to use the backports unconditionally. Another way is to move the conditionality into a single private module so it only happens one (see Setuptools._importlib). Users are encouraged to move off pkg_reapurces asap and not wait for stdlib versions to sunset.

Users are encouraged to move off pkg_resources asap
would you mind adding a comment there saying that?

@robust yarrow Jason is preparing a PR with the oficial deprecation.

oh awesome!

Is pkg_resources gone in 2 setuptools releases?

Setuptools does not specify a "deprecation warning 2 releases in advance" policy.

We managed to remove/delay pkg_resources imports in the critical path recently. Now it is only used for legacy builds. (Although since it is a separated codebase pypa/wheel might still import it in bdist_wheel).

The complete removal is going to be more viable after pip 23.1 adopts --use-pep517 by default, but we still need to discuss that in detail.

(And check which circumstances that might affect existing projects. E.g. how long do we have to support if users call pip with --no-use-pep517?)

The use in bdist_wheel is minimal and could be removed nicely

legacy as in just setup.py install or also the default behavior for pep517 (__legacy__ hook)?

Legacy as in python setup.py install

(Or develop and other commands)

at work we are experiencing an issue where merely importing the vendored distutils increases RSS by 10 MB whereas the one from the standard library does not. does anyone happen to know why?

A complete guess would be that the distutils hack is causing problems

it looks like that does some shenagins where it deletes distutils from sys.modules then inserts the vendored copy

I wonder if something is causing that to happen multiple times

Actually it's a bit of a pain because there's no importlib.metadata on python 3.7: https://github.com/pypa/wheel/pull/508

Not long left on 3.7 support

Ends in 3 months and 2 weeks
(27 Jun 2023)

The plan is to drop support for setup.py install entirely in pip 23.1.

We keep setup.py develop in pip for now.

We keep setup.py bdist_wheel too. Or is it identical to what the default build backend does?

The main difference of the default backend is that it inserts cwd at position 0 to sys.path.

develop is completely incompatible with PEP 660. We simply could not reuse it.

https://github.com/pypa/wheel/pull/508#event-8723901995 and pkg_resources is gone from wheel

That isn't a difference. That mirrors the behaviour of the setup.py bdist_wheel approach (the sys.path[0] changes were made since we got feedback that the (now non-legacy) setuptools build-backend removed that to prevent importing modules and that broke people.

Exactly that is the difference between the legacy and the non legacy backends that I was referring to

(They do differ in only this aspect)

Ah, nvm me then. Language is hard and I read what you wrote differently!

Thanks @dreamy urchin @nimble bridge . So this means it should be safe for pip to use the default build backend instead of calling setup.py egg_info + setup.py bdist_wheel.

I mean, as safe as Hyrum's law would allow.

@dreamy urchin is there a way to add a build time plugin to setuptools (so that writing the version file of setuptools_scm can be deffered from config time to build time

If the idea is just to add a version.py or VERSION.txt file somewhere, I believe it should be possible to add a custom build step.

Right now, you can use finalize_distribution_options to modify the cmdclass and build.sub_commands to do it. In the future, I want to introduce a dedicated setuptools.build_steps entry-point for that.

I made an example last year for custom build steps using this methodology: https://github.com/abravalheri/experiment-setuptools-plugin (but it might not be super complete, e.g it does not support editable installs). Jason also has some toy examples.

Btw, if any one would like to bike-shed https://github.com/pypa/setuptools/pull/2899#issuecomment-1446766906, I think that would be very useful. I am not 100% sure about the design of this feature.

Looks interesting, I'll tinker with it later, thanks

Now that pkg_resources is deprecated, what to do about: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/#pkg-resources-style-namespace-packages

If you are creating a new distribution within an existing namespace package that uses this method then it’s recommended to continue using this as the different methods are not cross-compatible and it’s not advisable to try to migrate an existing package.

Also the recommendation here is now outdated: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/#creating-a-namespace-package

This method is recommended if you need compatibility with packages already using this method or if your package needs to be zip-safe.

I think pkg_resources style namespace packages are natively supported on Python 3?

No you can't mix and match them

You need to upgrade all packages to use implicit namespace packages simultaneously

See https://github.com/zopefoundation/meta/issues/194 where the pkg_resources deprecation is causing a bit of pain

I guess it’s not too difficult to pull that code out yourself, declare_namespace_package is essentially implementing a custom module loader

(And zip-safety is not a thing now either)

I'm saying the docs need an update, but I'm not too sure what that is

Right

can you make that suggestion on the issue?

The zope one?

Oh this is already deprecated https://github.com/pypa/setuptools/blob/main/pkg_resources/__init__.py#L2338

Where's the repo for the packaging guide?

IIRC it’s somewhere under pypa

Actually the code looks like it needs state in pkg_resources for every call so I don't think you can make it work with pkg_resources and a custom extraction at the same time, so you're back to the same issue

https://github.com/pypa/packaging.python.org/issues/1222

Could the setuptools namespace package implementation be changed so that it becomes compatible with pkgutil-style packages? This would make it easier to transition away.

Should references to zip_safe be dropped from the packaging guide?

declare_namespace only gets the __name__ and not the __path__ so it probably can't be made compatible

Maybe you could finagle it by walking up the stack? 🤷‍♂️

Hmm I don't think that's going to fly

@haughty bramble this will need a compatibility package that moves namespaces to Metadaten +pth files first, then turns optional after all calls are removed

?

to elaborate, there is need for a meta package that declares old style namespace in a no files used manner while pkg_resources is installed/depended uppon, but have it as optional dependeny, then once nothing has it, it wont be installed and wouldnt be used anymore

@haughty bramble, Jason commented in https://github.com/pypa/setuptools/pull/3434#issuecomment-1435697632 that it might be possible to do a staggered migration. Maybe we just need an experiment that demonstrate that.

In that case, isn't it the case that projects could just simply start removing __init__.py?

My understanding is that the old way and the new way are kinda mutually exclusive

(at least when trying to be multi location compatible)

Ok, we need an experiment to verify that

I believe the key difference is that with setuptools namespaces one needs to invoke the fixer on every sys.path change, with the pep it's no longer necessary, let me validate

Hmm, based on the pep, it's actually OK to drop the files

could add some mixes to https://github.com/pypa/sample-namespace-packages

actually there's a test for it https://github.com/pypa/sample-namespace-packages/blob/df7530eeb8fa0cb7dbb8ecb28363e8e36bfa2f45/noxfile.py#L79-L88

so it looks like there is a pathway upgrade to pkgutil then once that's all done upgrade to pep420

which fixer?

Namespace pth files that make setuptools propagate workingset changes to namespaces

you mean setuptools or pkg_resources?

Thank you @haughty bramble , based on the existing tests, I removed the deprecation calls and added a cross_pep420_pkg_resources:

sorry discord suggested I make a thread and I thought it would pull the 4 messages in the chain inot a thread

wait some fail?

are they xfail?

Mixing editable with non editable seem to fail

maybe mark the broken editable mixing as xfail and document it?

(I am testing the default editable mode in setuptools, which I believe will use MetaPathFinder for these examples)

is that different to the PEP 660 mode?

newer setuptools will always use PEP 660

(newer pip may not even support editable installs without it)

23.0 still does the old setup.py develop if there's no pyproject.toml

If the project maintainers are happy to live with the limitations, I suppose staggered migration directly from pkg_resources to implicit is an option.

what are the limitations then we can document it on the packaging tutorial rather than advising against it

Yes, but I suspect that if you have pyproject.toml it will not. pip 23.1 may change this behaviour (it is supposed to always use PEP 517).

I replied to the zope thread with https://github.com/zopefoundation/meta/issues/194#issuecomment-1470346176

From this experiment (Ubuntu 20.04, Pytho 3.7):

• Editable installations with mixed namespaces may not work

2 months left on pytho 3.7

I will try to commit this change and make a PR later this evening

I don't think the internals of the import system change that much, but I can bump the script to Python 3.8

probably worth a matrix with 3.8-3.11

how long does it take to run?

a bit, let me time it

The main problem is to process the resulting data later into a nicer table 😛

Oh, wait, they might already have a tool for that

I will wait until this round finishes and try again

= 8 min in my machine.
But I would like to introduce the checks inverting the order as well, so probably more than that.

are you adding a test for all three in one environment?

These are the ones it runs in 8min: #setuptools message

I want to add installing legacy pkg_resources first and then pep420 (inverting the order).

Python 3.11.2 (main, Feb  8 2023, 14:49:25) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import itertools
>>> list(itertools.permutations(("native", "pkg_resources", "pkgutil")))
[('native', 'pkg_resources', 'pkgutil'), ('native', 'pkgutil', 'pkg_resources'), ('pkg_resources', 'native', 'pkgutil'), ('pkg_resources', 'pkgutil', 'native'), ('pkgutil', 'native', 'pkg_resources'), ('pkgutil', 'pkg_resources', 'native')]
>>> 

I will focus my work here on experiments that help moving away from pkg_resources (preferably into pep420). If anyone wants later to add tests for combinations of the 3 of them, that is fine, but I think for now the more pressing matter can be simplified down to 2x2 combinations.

when I install zope.interface I don't get a zope/__init__.py

it's just a native namespace package on a pip install of the wheel

In this comment https://github.com/pypa/setuptools/pull/3434#issuecomment-1435697632, Jason mentions "in my experience in typical pip-installed environments (which strip the init.py for pkg_resources-managed namespace packages anyway) ...".

That might be the case. I don't know how this mechanism works

if I look at https://files.pythonhosted.org/packages/fb/a7/4e2a58146d909115e102ce4038e3e8672f566174c55d8fa75325151b11fb/zope.interface-5.5.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl

there's no zope/__init__.py in the whl

but I do get import sys, types, os;has_mfs = sys.version_info > (3, 5);p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('zope',));importlib = has_mfs and __import__('importlib.util');has_mfs and __import__('importlib.machinery');m = has_mfs and sys.modules.setdefault('zope', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('zope', [os.path.dirname(p)])));m = m or sys.modules.setdefault('zope', types.ModuleType('zope'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) in zope.interface-5.5.2-py3.11-nspkg.pth

Should the namespace_packages kwarg in setuptools.setup be deprecated?

Oh it already is, I just missed the warning for it: SetuptoolsDeprecationWarning: The namespace_packages parameter is deprecated, consider using implicit namespaces instead (PEP 420).

https://github.com/pypa/sample-namespace-packages/pull/22

this is very helpful, thank you

What reads namespace_packages.txt in .dist-info?

pkg_resources will read this file and "pre-declare" any registered namespace

Ah thanks it's here https://github.com/pypa/setuptools/blob/main/pkg_resources/__init__.py#L2868

Is setuptools going to deprecate bdist_egg any time soon?

are they already? https://setuptools.pypa.io/en/latest/deprecated/commands.html#bdist-egg-create-a-python-egg-for-the-project says:

bdist_egg - Create a Python Egg for the project

Warning
eggs are deprecated in favor of wheels, and not supported by pip.

True, but it's not clear what "eggs are deprecated" actually means. The bdist_egg command itself doesn't seem to be deprecated, and there's no warning when you run it.

Users are implored to stop using them and migrate to wheels

Most default workflows with modern tool no longer create eggs

Most setuptools related workflows that use them are deprecated in favor of pep517

What's left is stuff like the zope ecosystem or certain enterprise deployment setups that still use the old formats

If you prefer, please open an issue/pr to add a deprecation warning there. It looks like an oversight.

Given that using .egg files is deprecated, there is no reason for producing such files to not be considered deprecated...

https://github.com/pypa/build/issues/595#issuecomment-1485293015 - can someone move this issue to the setuptools tracker?

I tried to but wasn't able to, even though I should have triage permissions

@dreamy urchin are you able?

I suppose you need permissions in both repositories to transfer (so I also cannot do that)

i'm trying to make it easier to install platform & accelerator-specific torch libraries for a source-only application via an invocation like pip install -e .. i see that dependency_links has been deprecated (or removed?) and as a workaround, my goal is to simply append requirements in the form of

"torch @ https://download.pytorch.org/whl/cu117/torch-1.13.0%2Bcu117-cp310-cp310-win_amd64.whl"

is there a pre-existing, possibly private, function that can generate those urls, provided an index url, package name and a version, inferring /enumerating the index, inferring the platform and inferring the version of python?

i do not want to reinvent the wheel here, so i'm hoping someone familiar with setuptools internals can suggest how to approach this

i might also be wrong, and find_links may just work when passed as a karg to setup? this would simplify things

Sorry @high talon if there is something like that, I am not familiar with it.

do you have any suggested approach for what i am trying to do here?

i might also be wrong, and find_links may just work when passed as a karg to setup?
In non-deprecated usages, setuptools is not used to install anything, so the find_links option has no meaning for setuptools

Since its version 19.0, released on 2019-01-22, pip ignores the setuptools options dependency_links is what stackoverflow says, which is why ididn't try, but is that actually true?

sorry i meant dependency_links, which i can see from the source is concatenated into find links

TL;DR all the support in setuptools for things like find_links or dependency_links is deprecated, if not already removed.

hmm, i understand that, and you can see i am authoring a workaround

I think the best workaround is to create a repository proxy

i suppose if the user is already going to do

python setup.py install

i can invoke pip with the --find-links command directly

Perhaps you need to explain what you want a bit better, maybe with an example of your expected output.

or simply pass the dependency as a PEP 440 direct URL (https://peps.python.org/pep-0440/#direct-references)

standby

yes, this is what i am trying to achieve in a compliant way, but i find myself reinventing features of setuptools/distutils/packaging

i am doing two things

1. trying to author a single, easy to invoke script that installs a repo - a torch-based application - into the current virtual environment editably. the script will infer platform features like CUDA versus ROCm support and install the correct version of torch for the user's platform.
2. trying to not revisit the long discussions about how or why find links was deprecated, etc. etc., since none of this is going to be published to pypa.

it would be great if i could author a setup.py that is compatible with pip install [-e] [.|https://...]

Sounds like a proxy package repository is indeed your best choice (or maybe no proxy is needed at all? Pytorch already has a pretty compliant release page)

okay, but the proxy would still need to be passed to dependency_links, which is removed, so i'm back to my original issue

i am trying to avoid asking the user to do anything arcane...

it would be great if i could author a setup.py that is compatible with pip install [-e] [.]
Does "creating a sdist-only" meta package works for you?

Sounds like a script like this would work pretty well?

subprocess.run([sys.executable, "-m", "pip", "install", "--find-links", pytorch_url, "-", *requirements])

And your users can simply call python install.py to run it

E.g. a package that only has a setup.py file that contains the logic to dynamically populate install_requires (https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-install-requires)

i'm not sure how that would encode the logic of selecting an accelerator-appropriate package. the purpose of this madness is to automate the selection of accelerator-appropriate packages for the machine that is running the installation, in a way that is as compatible with pip without extra commands as possible

yes, this is what i'm leaning on, but if i pip install this package with the setup.py you are suggesting, will pip correctly invoke the setup.py?

If you are calculating install_requires dynamically anyway, you could split back an array of PEP 440-compliant direct-url dependencies.

But why do you want to pip install the package?

another package might be a plugin for this one

yes, that's what i was investigating before messaging you guys, and then saw the madness of trying to determine these URLs

The plugin can be a package, but your code doesn’t need to be, from what I can tell

i felt like i was reinventing setuptools so i knew i was doing something wrong

that's true, but there is immense simplicity in supporting pip install [-e] a_github_url

everything becomes much easier - CI/CD, developer expectations, etc.

there are maybe 100-1,000 applications torch-accelerated right now, maybe 10 new good ones being authored every week, so there is a very high value in figuring out how to use torch correctly with the wider python packaging ecosystem. for what it's worth, poetry has explicitly determined to not solve this problem, so i really appreciate your assistance here

I think one of the fundamental point setuptools tries to make from removing dependency_links and others is exactly not every piece of distributed code should be an installable library, and your code likely should not be an installable library if it needs these features

well if pip will transitively invoke subprocess.run([sys.executable, "-m", "pip", "install", "--find-links", pytorch_url, "-", *requirements]) because it's in a setup.py, i think my problem is solved

and this will become the authoritative way to solve this looming issue for thousands of developers

then saw the madness of trying to determine these URLs
Um, I am not sure what you mean by madness... If you are thinking about how to calculate tags, maybe you can have a look on the API for packaging.tags https://packaging.pypa.io/en/stable/tags.html

The “problem” is pip does not allow you to do that unless you do some very clever tricks to fool it 🙂

i mean reinventing the generation of the url https://download.pytorch.org/whl/cu117/torch-1.13.0%2Bcu117-cp310-cp310-win_amd64.whl from all my parameters

i am very interested in fooling pip!

like i can monkeypatch this eventually

i can also compute the URLs, i can reinvent the package-spec-to-url resolution process

One thing I’d caution is your users may not appreciate your clever tricks. With that said Python is just a programming language and obviously you are entitled to be able to do anything you want with a Turing-complete tool.

yes i agree. right now there is a lot of demand for clever tricks

i was really hoping i would not spend the rest of my afternoon doing this, but i think in order to avoid monkeypatching, maybe this is the only way. is there a good way to find out the "tag" for my current platform and python version to fill in Tag(python_version, tag_str, platform_name)

like my journey has taken me to

    canonical_pkg_name = canonicalize_name(package_name)
    tag = Tag(python_version, tag_str, platform_name)
    wheel_file_name = f"{canonical_pkg_name}-{version}-{tag}.whl"
...
    url = f"{repository_index_url}/{quote(wheel_file_name)}"

which like i said is reinventing things already in setuptools

The https://download.pytorch.org/whl/cu117/ part is definetely setuptools has no knowledge about...
Looking at the torch-1.13.0%2Bcu117-cp310-cp310-win_amd64.whl part we can see the trivial {dist_name}-{version} , a +{cpu} local version that is project specific (so setuptools also don't know about it), and then more -{python tag}-{abi tag}-{platform tag} which is something you can probably use packaging.tags for.

The template is {dist_name}-{impl_tag}-{abi_tag}-{plat_tag} and you can see how pypa/wheel uses it in https://github.com/pypa/wheel/blob/c87e6ed82b58b41b258a3e8c852af8bc1817bb00/src/wheel/bdist_wheel.py#L381

gotchyu

ideally there would be a method get_wheel_name(platform=None, python_version=None, ...) that would use the currently running machine's platform and python version by default

but i suppose that does not exist

If I am not wrong next(packaging.tags.sys_tags()) will give you a pretty specific tag, but I am not sure how pypa/packaging works... Definetely the correct tag is somewhere inside the iterable produced by packaging.tags.sys_tags().

before i embark on the "correct" approach, do you have any ideas for how to get pip install x where x declares a url package dependency https://github.com/my/package and transitively invokes a setup.py that correctly works around the find-links issue?

if you implement the hipotetical select_correct_tag, you can do:

tag = select_correct_tag(packaging.tags.sys_tags())
impl_tag, abi_tag, plat_tag = tag.interpreter, tag.abi, tag.platform

if that's not possible, just pip install URL would also be chef's kiss

right now it sounds like the clever trick is to install the package temporarily*, then somehow investigate the side effects to create a setup.py

pip install x where x declares a url package dependency
You can create an x package as a sdist-only metapackage, with a setup.py that dynamically computes install_requires as a list of PEP 440 direct references...

By "metapackage", I mean a package with no contents, which the only objective is to dynamically calculate dependencies.
(Please set setup(..., packages=[]) for that).

gotchyu

Not sure how PyPI will respond to that... But you may have to use some tricks to avoid the PKG-INFO to be populated with the dependencies for the machine you use to build your sdist

Of course, I agree with @river oak , that is pretty much something that is abusing the packaging infrastructure...

yes, i think this will never interact with pypi

🥺 it is very hard to ask pip programmatically to give me a list of packages that would be installed as though i had --extra-index-url passed

pip does not want to run recursively under dry-run. it would be great if i could just know where its lockfile / whatever is placed so i can move it temporarily and get the text result, then parse it.

Are you working on torch itself, or looking to use torch in an application that you're building?

i figured it out. i'm using torch in an application

that was quite the journey

my feedback is that if you are going to support "@ packageurl" you might as well support extra-index-urls / find-links in setup.py again

"""
The name of the package.
"""
package_name = "yourpackage"

"""
The current version.
"""
version = '0.0.1'

"""
The package index to the torch built with AMD ROCm.
"""
amd_torch_index = "https://download.pytorch.org/whl/rocm5.4.2"

"""
The package index to torch built with CUDA.
Observe the CUDA version is in this URL.
"""
nvidia_torch_index = "https://download.pytorch.org/whl/cu118"

"""
The package index to torch built against CPU features.
This includes macOS MPS support.
"""
cpu_torch_index_nightlies = "https://download.pytorch.org/whl/nightly/cpu"

"""
The xformers dependency and version string.
This should be updated whenever another pre-release of xformers is supported. The current build was retrieved from
https://pypi.org/project/xformers/0.0.17rc482/#history.
"""
xformers_dep = "xformers==0.0.17rc482"

def dependencies() -> [str]:
    _dependencies = open(os.path.join(os.path.dirname(__file__), "requirements.txt")).readlines()
    _alternative_indices = [amd_torch_index, nvidia_torch_index, cpu_torch_index_nightlies]
    session = PipSession()

    index_urls = ['https://pypi.org/simple']
    # prefer nvidia over AMD because AM5/iGPU systems will have a valid ROCm device
    if _is_nvidia():
        index_urls += [nvidia_torch_index]
        _dependencies += [xformers_dep]
    elif _is_amd():
        index_urls += [amd_torch_index]
    else:
        index_urls += [cpu_torch_index_nightlies]

    if len(index_urls) == 1:
        return _dependencies

    try:
        # pip 23
        finder = PackageFinder.create(LinkCollector(session, SearchScope([], index_urls, no_index=False)),
                                      SelectionPreferences(allow_yanked=False, prefer_binary=False,
                                                           allow_all_prereleases=True))
    except:
        try:
            # pip 22
            finder = PackageFinder.create(LinkCollector(session, SearchScope([], index_urls)),
                                          SelectionPreferences(allow_yanked=False, prefer_binary=False,
                                                               allow_all_prereleases=True)
                                          , use_deprecated_html5lib=False)
        except:
            raise Exception("upgrade pip with\npip install -U pip")
    for i, package in enumerate(_dependencies[:]):
        requirement = InstallRequirement(Requirement(package), comes_from=f"{package_name}=={version}")
        candidate = finder.find_best_candidate(requirement.name, requirement.specifier)
        if any([url in candidate.best_candidate.link.url for url in _alternative_indices]):
            _dependencies[i] = f"{requirement.name} @ {candidate.best_candidate.link.url}"
    return _dependencies

setup(
    # "comfyui"
    name=package_name,
    description="",
    author="",
    version=version,
    python_requires=">=3.9,<3.11",
    packages=find_packages(),
    install_requires=dependencies(),
)

here is a working snippet

@nimble bridge i guess i have more feedback. based on the other proposals i'm seeing about packaging, and my experience with poetry and doing something sophisticated with pip:

• you are reinventing setup.py in configuration files.
• python is a serialization format.
  i think you know this and the maintainers agree. it's tough. you get these security asks about boms or whatever that are impossible. then it's impossible to persuade devs at bigcorp who "just" want things to "work". many audiences, no one perfect solution.
  looking forward to making useful contributions in the future. i will post my snippet for the torch end users!

FWIW, I see that you're using pip's internals -- that's not supported and can (will) break arbitrarily at any time.

yes, i've updated this snippet since to better support the different pip versions in the wild

Nice work with modernizing setuptools! I've been a flit user for ages now, but moments ago I needed a backend that was a bit more powerful. I didn't really feel like learning how to configure hatchling so I decided to give setuptools a(nother) whirl. The docs are pretty good (minus the unavoidable pre-PEP517 cruft) and getting my package to work was dead simple:

[build-system]
requires = ["setuptools >= 61.0.0"]
build-backend = "setuptools.build_meta"

[project]
name = "dobackup"
authors = [
    {name = "Richard Si", email = "sichard26@gmail.com"}
]
classifiers = [
    "License :: OSI Approved :: MIT License",
    "Development Status :: 4 - Beta",
    "Programming Language :: Python",
    "Programming Language :: Python :: 3 :: Only",
    "Programming Language :: Python :: 3.8",
    "Programming Language :: Python :: 3.9",
    "Programming Language :: Python :: 3.10",
    "Typing :: Typed",
    "Private :: Do Not Upload",
]
license = {file = "LICENSE.txt"}
dependencies = ["click >= 8.0.0", "rich >= 10.14.0"]
requires-python = ">=3.8"
dynamic = ["version"]

[tool.setuptools]
py-modules = ["dobackup", "gcrepos"]
dynamic = { version = { attr = "dobackup.__version__" } }

[project.scripts]
dobackup = "dobackup:main"

[project.entry-points]
"lily.tools" = { dobackup = "dobackup:main", gcrepos = "gcrepos:main" }

I'm really glad to see pyproject.toml be treated as a first-class citizen by setuptools now.

IKR!! Preocts showed it [setuptools] to me when I was asking for a new PEP-517 backend. I, like many others, thought it was going to be discontinued after the PEP, but it’s still alive and well, and still the simplest way to just get a package setup.

setuptools also has the advantage of being such an old player, I'd be able to package a setup.py based project without issue even to this day

why do namespace packages in the current directory take precedence over pyproject.toml editable installs but it's the other way around for legacy setup.py editables eg https://github.com/graingert/python-path/blob/bd3e3207826c31addaae1f65cdcdfcd6b3e1823e/demo.py#L39-L42

I originally misdiagnosed this as a pip issue and there's some messages in #pip #pip message

https://github.com/pypa/setuptools/blob/main/setuptools/command/editable_wheel.py#L521 hmm it's intentional

Oh, that's the Python import system being wonky.

And the fact that cwd is always on sys.path before everything else.

Yeah, when I was investigating this, I reached the conclusion that Python import system will treat packages provided by MetaPathFinders and PathEntryFinders differently than packages in sys.path... No clear why or how.

You can try pip install -e . -C editable-mode=compat (pip 23.1.1) to try the previous behaviour

I’d recommend using PYTHONSAFEPATH / -P (https://docs.python.org/3/using/cmdline.html#cmdoption-P) or isolated mode (I: https://docs.python.org/3/using/cmdline.html#cmdoption-I) for subshelling.

I think I found a work-around: https://github.com/dask/distributed/pull/7804/files#diff-50c86b7ed8ac2cf95bd48334961bf0530cdc77b5a56f852c5c61b89d735fd711R65
maybe it's actually a setuptools bug? /cc @robust yarrow

You mean the fact that "." makes setuptools use the same code path as compat mode is a bug?

Probably that is an edge case that was not considered and could be fixed... it would ruin your workaround though 😛

it seems include-package-data=True stops working when I do this though

@haughty bramble are you sure versioneer is required in your case?

pretty sure https://github.com/dask/dask/issues/10151

unless there's a way to support __git_revision__ in hatch-vcs?

there may be a hack to combine the metadata hooks that add extras with the custom version file writing there, but fingers crossed on that one

@dreamy urchin any recommendation for deferring setting the version attribute and writing a file containering version metadata until after keywords and options happened

I don't think right now there is a entrypoint for that. If I am not mistaken setuptools.finalize_distribution_options runs before parse_config_files.

Am I understanding it at least correct that runs after keywords?

The entry-points for setuptools.finalize_distribution_options will run after the keyword arguments of setup.py are processed (but before setup.cfg and pyproject.toml are processed).

That is how it works nowadays

@dreamy urchin where should i put the data of a keyword so that the finalize hook can use them correctly?

Does something like getattr(dist, keyword, None) work for you?

🤦‍♂️

I believe right now setuptools might be doing setattr(dist, keyword, value) in setuptools.Distribution.__init__ for all entry-points defined in distutils.setup_keywords

Sorry, I am not sure if I understood your questions...

@dreamy urchin for some reason i was under the misconcpetion that its not automatically added since a while

By looking at the code, it looks like it is implemented like that. Please let me know if you find problems

hmm i messed up there, ^^ it will all work out

Hey @dreamy urchin , is there a plan for when the Setuptools-specific config will be officially declared out of beta, and are there plans to change it before then? It seems that its been giving a fair number of people pause in adopting pyproject.toml-based metadata as a whole, so I was curious what the plan was to move forward on that (so I can help inform interested users accordingly). Thanks!

Given that I did not receive many proposals in how the configuration on pyproject.toml should be different from setup.cfg, it should be fine to keep them similar. So I think we can move it out of beta soon (I will probably wait a little bit as I want to see if the latest release affected many people).
However, my plan is to still keep some reservations on the docs:

So it should be fine for people to use [tool.setuptools.packages.find] or [tool.setuptools.package-data], but I don't think people should be using [tool.setuptools.eager-resources]...

I also don't think that [tool.setuptools.dynamic] dependencies = {file = requirements.txt} should get out of beta soon. There are a bunch of corners to polish (specially with optional-dependencies)...

https://github.com/pypa/setuptools/pull/3962

Sounds good! Thanks, @dreamy urchin !

FWIW, I don't think I've ever seen eager_resources used in the wild (in setup.py, setup.cfg or pyproject.toml, and in fact, a grep.app search: https://grep.app/search?q=eager_resources&regexp=true&case=true&filter[path.pattern][0]=setup.py reveals only 5 total usages in setup.py, 0 in setup.cfg and 0 in pyproject.toml on all of GitHub.

By contrast, I have seen zip_safe widely used, at least in the former two; I'm assuming it just gets cargo-culted and I'm not sure people were aware it only applied to eggs—even I wasn't, until recently when I read that table in the docs, despite having read of lot of Setuptools, distutils and related packaging docs. Indeed, there are over 11 600 total usages across GitHub in setup.py files alone per grep.app: https://grep.app/search?q=zip_safe&regexp=true&case=true&filter[path.pattern][0]=setup.py&filter[lang][0]=Python , 1400 in setup.cfg and 145 in pyproject.toml.

Interestingly, this is a decrease of an order of magnitude each time, and nearly 100:10:1; by comparison, there are 45 800 setup.py (with at least name ?=) to 8800 setup.cfg (with at least [metadata]) to 1900 pyproject.toml (with at least tool.setuptools), i.e. only a 25:5:1 ratio, so the relative usage decreases by nearly half with each, from 25% to 15% to 7.5% of each using zip_safe, respectively.

Well

"it only applied to eggs" is a slightly confusing

because it doesnt' mean only .egg files distributed on PyPI

because setuptools called the things that it installed onto the filesystem "eggs" also, which is why you had things like .egg-info (which predated .dist-info), .egg-link, etc.

So if you ever did something to cause setuptools to install your thing, you would get an egg

Common ways this would happen in the past:

• Doing setup.py install
• Using easy_install (no matter what the "source" artifact type was).
• Using pip install --egg before it was removed.
• Using setup,py develop or pip install -e (though this particular usage of eggs didn't affect zip_safe, because dev installs never zipped IIRC).

The first one is historically the big one

Does pyproject.toml even need to support zip-safe? IIUC, eggs are basically irrelevant now, so projects that are modern enough to use pyproject.toml shouldn't need this setting.

Thank you Donald. I changed the PR to also mention setup.py install in the table.
If anyone also would like to suggest changes, please feel free to send a PR review 🙂

They were left there so people could do a 1:1 translation from setup.cfg even in an automated form... But I agree that they are not that relevant, specially after we implemented PEP 660. Maybe in the future we can remove it (that is also why I am keeping the "reservations" on these fields and telling people to not use it).

is there any suggested way to render the current version into dependency names as well (context is wanting to port the toga project group to pyproject.toml, those currently invoke setuptools_scm directly as they have a few dozen packages that have strict version number interlinking and they render the version into both the actual version and a number of dependencies

There's nothing standards-based that would allow this, and someone else might have a better solution, but at least using Setuptools/setuptools_scm, the ways I can think of (which you probably also have) are:

• List dependencies as dynamic under tool.setuptools and either
  • Add a setting or custom hook to setuptools_scm itself to enable this
  • Or, write a separate custom Setuptools plugin (that runs after setuptools_scm) that injects the project version into the specified dep versions
  • Or, write the custom logic in a setup.py and define dependencies there
• Or, do it as a pre-processing step to generate a pyproject.toml with the injected version, via one of several means

Yeap I agree with CAM. They can migrate as much as possible to pyproject.toml and keep the programatic bits in setup.py (using dynamic accordingly).

Hi, apologies for using this server for support, but I'm not sure if I'm arguing with pip or setuptools.

I tried copying just my code and the pyproject.toml into my Dockerfile -

COPY requirements.txt .
RUN python -m pip install --requirement requirements.txt

COPY pyproject.toml src .
RUN python -m pip install .

And it sat on Getting requirements to build wheel: started until it timed out -

#11 [5/6] RUN python -m pip install .
#11 0.545 Processing /
#11 0.549   Installing build dependencies: started
#11 2.863   Installing build dependencies: finished with status 'done'
#11 2.865   Getting requirements to build wheel: started
Error: The operation was canceled.

But I changed it to copy everything and it succeeded -

COPY . .

With verbose logging it looks like it's stuck on -

#9 4.418   Getting requirements to build wheel: started
#9 4.418   Running command Getting requirements to build wheel
#9 4.554   /tmp/pip-build-env-hz7ahlkr/overlay/lib/python3.11/site-packages/setuptools/config/pyprojecttoml.py:66: _BetaConfiguration: Support for `[tool.setuptools]` in `pyproject.toml` is still *beta*.
#9 4.555     config = read_configuration(filepath, True, ignore_option_errors, dist)

But I don't understand exactly what it's reading.
I've listed every file in my project manually, including the .git folder, and it still gets stuck. AFAIU there shouldn't be any difference between listing all the files and just COPY ..
I... I'm sure I'm just missing something, but I can't see anything else that I would need. And I don't know why listing all files manually wouldn't have gotten it what it needed.
Can anyone see what I'm missing here?

pastebin of the pyproject.toml: https://paste-new.pythondiscord.com/ZA4A

Can you make a runnable example Dockerfile?

anyone aware of a setuptools plugin that adds files to a editable wheel or a wheel, but doesnt let them show in the source tree (unless inplace build is forced)

is there any suggested mechanism for making part of the project under build importable with setuptools, hacking together a own build backend that imports setuptools feels most gruesome, but is whats necessary with PEP621 atm

i'm using a custom setuptools extension to add to install dependencies. This extension cds into git submodules and gets their names and versions. It works fine when building sdist (srd distro), but bdist/wheel is built using the sdist in a temp directory, so my setuptools extension cannot cd into the git submodules.

How do I circumvent this issue?

Your custom extension could probably save the necessary information inside the sdist while building it.

As metadata? How?

I thought of writing to a file and adding that as metadata when building sdist. But the problem is that the same process is repeated when building wheel as well, so that's not a solution.

The idea is that you detect if the file already exists, and if so, you just use the information in it instead of doing Git stuff.

Oh, right. How do I add to metadata file when building sdist?

I don't mean the metadata file. I just mean a regular file, specific to your extension.

Will that be picked up by sdist tar.gz?

Lemme try.

I don't really know how to do it specifically in setuptools, but there must be a way to include a generated file.

There is a section in setuptools doc about dynamically defining additional metadata, but I haven't been able to make it work.
http://github.com/pypa/setuptools/blob/6083e18f4afc40316c0112134c205c336afbcdfd/setuptools/config/_apply_pyprojecttoml.py#L122-L125

I'll try. Thanks.

I don't think you should include this information in the project metadata, since it's for the project's own use, not external tools.

Okay. Makes sense.

This has a similar issue, though. It will skip doing the git stuff for sdist as well. So if the file exists, it will never be updated by python -m build unless the file's manually deleted. That's problematic.

Even the cwd changes to the temp directory when building wheel. Otherwise I could use the path.

I managed to circumvent this issue by using the env variable $PWD. The problem is, this env variable is absent in Windows. Any way I can set env variable once on python -m build so that I can get the env var when building wheel in the temp directory?

How would that work for someone building a wheel from the sdist (without the original Git repository)?

It won't work. But that's not an issue for me right now.

Then why are you even making an sdist? Just build the wheel directly.

How?

I just know python -m build.

build has an option for it, it's probably -w or something.

python -m build --wheel (-w probably works, too).

Thanks.

We've noticed a few packages in Debian are picking up the debian directory as a package (and nobody notices) if they use find_namespaces Here's an example with setuptools itself: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041091#10. This directory is something that usually doesn't exist in upstream's source directory, but always exists in a Debian source package. I can't think of any way to reliably stop this from happening, without patching setuptools. (And setuptools has no built-in blocklist, so it feels wrong). Any thoughts?

I suppose we can consider changes to https://github.com/pypa/setuptools/blob/v68.0.0/setuptools/discovery.py#L183. However I would not like to get into a complex situation where we have a default blocklist but people want to re-use parts of the blocklist while allowing other parts[^2]... That can became a configuration hell quite easily and explode the number of configuration "knobs and levers".

If devs are relying on the auto-discovery, setuptools has a blocklist[^1], but if they want to customise find:/find_namespace:/find_packages()/find_namespace_packages() I think they should start from a blank slate (to avoid the explosion of knobs and levers I mentioned before).

Nonetheless, I was thinking about find_namespaces and find this morning (for a different reason) and I was wondering if it would make it easier to if we have a "convention over configuration" approach...
How about if we skip directories that have a custom marker (e.g. directories that contain a .skippkg file)? Would that make like easier?

For example in the setuptools repo itself we have to keep an eye on https://github.com/pypa/setuptools/blob/v68.0.0/setup.cfg#L32 everytime we rename a directory or create a new one. And sometimes we forget that. A file marker would make maintenance easier for that use case. Not sure if it helps in the case of a debian folder, unless there is a central template that devs are incentivised to copy from...

[^1]: I think we can have a PR to add debian to https://github.com/pypa/setuptools/blob/v68.0.0/setuptools/discovery.py#L213 (there is no debian package on PyPI right?)
[^2]: This is not far-fetched, people already asked me for that.

Ah, I there's the list I didn't know existed 🙂

There is python-debian on PyPI, but we can always explicitly declare the package name

Filed: https://github.com/pypa/setuptools/pull/4001

Thank you very much @bronze berry, just to clarify (so we don't have unmet expectations): the list works when people omit packages = , py_modules = and ext_modules = (i.e "auto-discovery" kicks in). If packages are using find:/find_namespace: in setup.cfg or find_packages()/find_namespace_packages() in setup.py, the probablem of including directories by mistake can still happen...

Yeah, it's at least a step in the right direction

find_packages should be safe, because there's no __init__.py

Thank you very much @bronze berry , I plan to cut a release early next week (probably in a couple of days). I can include the PR in that.

how do you include a custom directory in setuptools? i have an include directory for headers with an extension but it doesnt get copied to the build

Hi @vagrant patrol, please have a look on https://setuptools.pypa.io/en/latest/userguide/miscellaneous.html and https://setuptools.pypa.io/en/latest/userguide/datafiles.html maybe that helps.

Is the include directory internal to your package dir?

I'm seeing an issue where my setup script generates Python files while building native extensions, but when building with build with the setuptools backend these files don't end up in the final package. Is that by design?

Hi @thorn urchin, the answer is probably no, but it is hard to guess without a minimal reproducer.

I would recommend you checking:

1. Are all the necessary files present in the sdist? (see https://setuptools.pypa.io/en/latest/userguide/miscellaneous.html
2. Are all the build dependencies listed in the [build-system] requires list (inside pyproject.toml)?

If these questions are true and you still see the problem, please consider opening a new issue with a minimal reproducer in the Github repository.

Build is somewhat special in that by default it builds an sdist then builds a wheel from your sdist. It may be that building a wheel directly from your source tree works fine you can try this with build --wheel

But then you know that your sdists are broken and you probably shouldn't ship them

just wondering, are there any plans to merge distutils into setuptools, or will they stay separate git repos forever?

I think the grand plan is to migrate all necessary code from distutils to setuptools

I thought it already was
In https://github.com/pypa/setuptools/blob/main/setuptools/_distutils

the way it is now, it's more "vendored" than "integrated"

i`m observing the finalize options hook running before the version keyword when running setup.py - is there anything i can do about the order?

Hi guys. How I can introduce hook for setuptools.finalize_distribution_options in pyproject.toml for current project? So I don't want to introduce additional package like setuptools_scm, but define some script near pyproject.toml and call it for finalize_distribution_options inplace. Is it possible to do this?

nope 🙂 currently there is no mechanism for entrypoints only for the local build

setup.cfg will not work as well, right?

nope, entryponts come from installed package data, the package under build is not installed

(thats why setuptools_scm has to list version schemes and parse functions explicitly in its self-build)

Then, can I put folder inside build-system.requires? like "my-build-dep @ ./buildscripts"?

The problem I want to solve - read version and probably other project information from environment variables... Maybe there is already plugin exists.

Anyway, thanks for help, that clarifies things a little bit.

@simple quiver why do you want to override that way ?

(that setup sounds flaky without context)

As I mentioned - version. From environment variables. Maybe to add some custom CI logic(ultimately - just env variables).

but why env variables?

Commonly used in CI in other places of my pipeline, like CMake, etc. So it will be great to set single environment variable and forget about everything.

like whats the end goal there and why do you think the env vars are a good idea

so your projects would no longer build safely outside your ci ?

probably the best idea, since gitlab-ci globally set some variable with calculated version for whole pipeline and all jobs. So wherever package is referenced or installed or uploaded from particular pipeline, it will have good version.

I don't want that, so there must be(will be) fallback.

btw, for version, you could abuse setuptools_scm + the setuptools_scm_pretend_version env var to get there quickly

Have no idea what is the setuptools_scm_pretend_version , but probably will be easy to find in sources. Thanks for pointer.

But I want to achieve another thing - lets assume that I has package_a as arfifact of such pipeline, and package_b, that must depend on exact version of package_a from this particular pipeline. Can I specify project.dependencies = ["package_a == {project.version}"] ? Or this definitely will require new plugin?

this needs dynamic metadata, take beeware as inspiration

This one - https://beeware.org/project/ ?

yeah, it has a monorepo and does version linked releasing

Is there any other ways to intercept or modify setuptools data locally without introducing build separate plugin package like setuptools-scm?

Hi Ronny, sorry for delays:

setuptools.finalize_distribution_options is called via a setuptools.finalize_distribution_options hook itself. You can use the .order property to influence the execution order (lower goes first) - https://setuptools.pypa.io/en/latest/userguide/extension.html#customizing-distribution-options.

For local modifications the simplest way is setup.py.
It is a common misconception that the setup.py file itself is deprecated. The only part deprecated is treating it as a CLI tool.
setup.py is a perfectly fine configuration file (like other Python files are for other tools, like conftest.py, noxfile.py etc...).

You can combine pyproject.toml/setup.cfg + setup.py (provided you configure pyproject.toml's [project] dynamic accordingly if you are using pyproject.toml). Ideally you can keep all your static configuration in a declarative file such as pyproject.toml/setup.cfg and only use setup.py for the parts where custom programming is necessary.

FTR - is there a deprecation plan in place for the setup.py?
Or will it live on forever?

I've been tempted to make a setuptools plugin that pastes a setup.py out of pyproject.toml and reloads setuptools

_who would do such a thing _

Why should setup.py be deprecated? It's useful.

Until we get a declarative, PEPefied API for language extensions compilation, setup.py will be in use

Not that I am aware.

My personal opinion is that there is always going to be a valid use case where people need to derive some form of configuration programmatically. Not always static metadata is a good solution for every usecase.

Since setup.py is already there, people are already using it, I don't see much point in removing it completely.

There is value, though, in moving the static bits to a declarative format like pyproject.toml (E.g. other tools can read it, it does not require arbitrary code execution for bundling the distribution archive etc...)

Something that could make sense in the long run (my personal opinion again), would be introducing a "paranoid mode" (via an env var for example) in which end users concerned with arbitrary code execution could disable setuptools reading setup.py and also allowlist/denylist some plugins...

But that is just brainstorming... (And if we consider how wheels are published/installed may make less sense than simply having pip instroducing a flag to block installation from sdist)

Even after that...

I don't think it is possible to completely get declarative configuration for some complex (but still valid) use cases.

It really is precarious; the kicker is that when we look at something like aggregate behaviors of malicious programs in Python, the overwhelmingly vast majority of them either rely on runtime installation of malicious payloads (a la os.system('pip install <malware>') or perform their staging/execution within the setup.py themselves. Heuristics wise, it is exceedingly difficult to detect negative behaviors in setup.py versus some of the solutions that exist out there. So much so that we've more or less conceded that we'll always have a large number of positives from setup.py files and accepted that that's just the state of the ecosystem.

As it stands now, I'd say a solid 70-80% of our false positives are sourced from setup.py behaviors that require package specific exceptions be made in order for them to no longer be detected as such.

It would be great to have a documentation page explaining why declarative configuration should be preferred to setup.py. That would make it easier to convince project maintainers to switch.

https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/
On cue, here's a demonstration of why, from a security perspective, setup.py is very concerning to us.
Arbitrary exfiltration of ssh and kubeconfig credentials, unilateral attack across ecosystems, etc.
We didn't catch this, fortunately Phylum did. Blanket detecting 'curl' commands in setup.py leads to an enormous amount of false positives; and trying to enumerate out all variants of curl commands (without just detecting the use of the word 'curl' directly) makes this incredibly difficult to programatically track. You can probably picture a world where '.kube' and '.ssh' aren't spelled out as clearly; or where obfuscated payloads or even simple string concatenation might be used to avoid this entirely.

I don't know, there's plenty of examples out there of how setup.py is being levied heavily to target developers and maintainers in order to further create supply chain issues.

While I agree that setup.py is visibly being used to do this, removing setup.py doesn't fix anything here. installing a malicious wheel is going to be just as devastating, and isn't difficult for attackers to go this route, they just haven't had to. It's also significantly harder to detect and analyze statically. There are good reasons to ship a binary in a wheel (it's kindof the purpose of those) and someone could easily have a non-malicious sdist with a malicious set of wheels that pip will prefer by default.

It is impossible to apply declarative configuration for all cases, and the possibility of a setup script will live on in that sense. Whether setup.py will serve the use case forever is another question but I don’t see the point for setuptools to deprecate it in favour of something else. If you want to create a new build script API you can just do it in a new build backend instead, why mess with setuptools at all 🤷‍♂️

Also, setup.py is not the only way of executing arbitrary code during the build process. Any backend that supports local "programatic" customisation will have the same problems (I believe poetry and hatch also support local customisation). Finally build dependencies (as in pyproject.toml's [project] requires = [...] array) also constitutes a form of injecting arbitrary code execution during build...

The best way of preventing those in the end-user's machine(as @indigo tide pointed out) is by using pre-built wheels.

The environment for building the wheels can be made more safe by isolation techniques (e.g. containers, vms, etc) + allowlisting/denylisting build dependencies. Introducing a "paranoid" mode in setuptools that blocks local code execution could be a way of improving that for people interested in repackaging distributions (as it is the case of OSs). Still it would be required for the repackagers to analyse case by case, because some distributions simply require heavy customisation to be able to be transformed into a wheel file, which is made possoble by setup.py.

except the wheel itself can contain a malicious binary that's placed in such a way that it's preferred over something that's near guaranteed to be imported, like typing_extensions, or even just malicious on top of the expected functionality of the package, I was not suggesting that pre-built wheels solve this at all, quite the opposite, that one of the very next places it could go if you push back on setup.py is it can just stop happening at install time and happen at import instead.

the real answer is don't install packages without vetting them first and (unfortunately) there are bad actors out there, so we need people policing for malice

Yeah that is true.

Pre-built wheels just solve the problem of "arbitrary code execution at installation time", but in the Python ecosystem you can have arbitrary code execution at import time.

Any central third party package distributor is arbitrary code execution as a service basically

@sullen prawn speaking of this line of thought, I'd like to bring something to anyone playing defense's attention in case it isn't already on people's radar's prior to a post I intend to make some time next week. It's not a vuln or disclosure process for that would be pretty clear, it's a means and methods thing, but it may be worth balancing the "this should be publicly discussed" with "make sure people playing defense are already considering this", lmk if you have a preferred place to discuss it if you're open to it, DMs here fine if that's fine too.

You can fire me a DM at your convenience!

Good discussion in the above; I concur that vetting your dependencies is highly relevant, but in the same vein, the exponential nature of SBOMs to inflate themselves in any real code base makes ensuring that you’re using secure code incredibly difficult. I get the point— building your own deps from the sdist has an inherent level of risk; but there is a real world scenario where that action could occur in a manner entirely occluded to you the package user; in other words, you could be installing a wheel for “selenium”, but one level down, you’re building and installing something from the sdist instead. And really, you’re probably not going to have a way to know this is even happening, unless you’re climbing that entire dependency tree and cross-checking that you, indeed, have the appropriately matching specifications for a given wheel in a package.

Edit: Also just for clarity's sake, I'm not really championing for any specific fix here. We struggle to write effective heuristic detections for setup.py, but I truly don't have an excellent solution in many respects on what a 'remedied' version of this would look like. I don't want it to seem I'm screaming "setup.py is ruining security!" I just happen to get an (I believe) fairly unique perspective given... the work I do, perhaps, and enjoy engaging in dialogue about some of those issues.

Fair, I'll shoot you the current draft via DM. you can share it as you see fit, it's publicly viewable but not indexed or published yet.

I’m in this picture, but unfairly someone cropped out the part where I say “write a hatch plugin instead” 🐦

right now setup.py is the recommended mechansm to put dynamic code into setuptools_scm as well

whats missing is something that replaces the messed up version file writing (i want to add a build stage extension that adds the version file to a editable wheel/whel instead of writing it to data itself

hello hello! I have a really odd issue and I hope it's okay I ask here, because I honestly don't really know where to ask this:

I have a Wheel I'm building with setuptools and setuptools-rust (currently still the old-school python setup.py bdist_wheel approach).
For some reasons in GitHub Action's envrionment for MacOS Python 3.11 (and only 3.11) the wheels built with the x86_64 Python environment provided there are incorrectly marked as being universal2. They are not universal2, they are only built for x86. The other Python versions correctly mark this as an x86 only wheel.
Does anybody have an idea what could be going wrong here?

Example run: https://github.com/SkyTemple/skytemple-rust/actions/runs/6355353799/job/17263321360

I realize this is most likely not the right place to ask... if anybody could guide me to the right place that'd be great.

Twine or PyPI also don't reject them. I thought they scanned the wheels to make sure they are valid?

right now because of this i have a wheel on PyPI that is marked universal2 but is actually x86 only because of this

ImportError: dlopen(/opt/homebrew/lib/python3.11/site-packages/skytemple_rust.cpython-311-darwin.so, 0x0002): tried: '/opt/homebrew/lib/python3.11/site-packages/skytemple_rust.cpython-311-darwin.so' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64'))

file shows: skytemple_rust.cpython-311-darwin.so: Mach-O 64-bit x86_64 dynamically linked shared library, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|NO_REEXPORTED_DYLIBS|HAS_TLV_DESCRIPTORS>

fwiw this is not setuptool-rust's fault since I just noticed I also have this issue with another package of mine. That one uses the new-style pyproject.toml build systems with build isolation (PEP 517?) etc.
https://github.com/SkyTemple/tilequant/actions/runs/6225727358/job/16896773186

So this is either an issue with GitHub Actions, setuptools, wheel, or Python 3.11 itself I guess.

they are scanned for validity of tags, but not checked if the tags match package "insides"

where do you think this issue most likely is and do you know where I can best report it?

My guess would be setuptools-rust or setuptools itself (don't know how those 2 are working together). You might also check out Maturin, kinda "all-in-one" rust-python solution

It's not setuptools-rust. The other package I linked does not use setuptools-rust.

(it uses setuptools-dso)

So I think this is a more general issue. I can kinda not imagine this being a general Python 3.11 MacOS bug so I guess I'll try to start raising an issue at GitHub Actions, unless somebody has a better idea. I really doubt this will get any traction there.

Sadly I don't have a Mac to replicate this issue outside of the GitHub Actions runners, so I have no idea.

what package is actually responsible for generating the wheel identifier that should be used?

in setuptools? I have no idea. I don't use setuptools at all

Documentation I found wasn't super clear, but I think wheel decides it (I mean I guess it makes sense). I opened an issue: https://github.com/pypa/wheel/issues/573

For the wheel itself (bdist_wheel) the example in https://github.com/pypa/setuptools/discussions/3762#discussioncomment-4658230 shows how to add an arbitrary file to the archive.
However for the editable_wheel I don't think that is directly supported. For the "lenient" mode or the "compat" mode, the files are taken from the project directory, so you could in theory add a file there... for the "strict" mode - which uses a symlink/hardlink farm, it is possible to add a custom file to the file tree in the auxiliary directory (https://peps.python.org/pep-0660/#what-to-put-in-the-wheel) by implementing the interfaces in https://setuptools.pypa.io/en/latest/userguide/extension.html#supporting-sdists-and-editable-installs-in-build-sub-commands, but I have the impression that a minority of users is using that mode.

I understand that in theory we could have an arbitrary file added to the editable wheel in addition to any .pth file or custom MetaPathFinder, but then we are bound to get into the "namespace-hell" problem with editable installs isn't it[^1]? So far we haven't got back from the core devs any instructions on how to implement "editable" namespaces (https://github.com/python/cpython/issues/92054).

Setuptools current editable wheel implementation does handle namespaces reasonably well (it is probably the most complete implementation available), but it is not without hassle...

[^1]: Or worse, end up in a situation where we want a namespace-like behaviour, but the folders actually contain __init__.py...

yeah, i want to change setuptools_scm so that the version file is nto written to the source tree, but to the build output

@dreamy urchin i'd also like to see a general hook to place files in the build output (i want to have the next version of apipkg generate lazy loading .py file for api modules or alias modules defined in .pyi files)

Does the following help?

class CustomSubCommand(Command):
    def initialize_options(self) -> None:
        self.build_lib = None
        self.editable_mode = False

    def _get_build_lib(self):
        if self.editable_mode:
            return self.distribution.src_root

        with suppress(Exception):
            return self.get_finalized_command("bdist_wheel").bdist_dir

    def finalize_options(self) -> None:
        self.build_lib = self._get_build_lib()

    def run(self) -> None:
        if self.build_lib:
            outdir = Path(self.build_lib)
            outdir.mkdir(parents=True, exist_ok=True)
            (outdir  / "file.txt").write_text("hello world", encoding="utf-8")

    def get_outputs(self):
        return [Path(self.build_lib, "file.txt")]

nto written to the source tree, but to the build output
I don't think that will work nicely right now with PEP 660. As an ecosystem, Python needs to improve before we can do that smoothly.

if as a starting point, i only need to write it into the source tree for editable installs, that seems fine

Hello everyone, I'm building a package with a pyproject.toml using setuptools and I tried to hook into the build process according to PEP 517.
What I'm trying to do is to collect the version of a submodule (which is not a python project) based on it's git tag and hash and store it in an additional metadata file in dist-info. Therefore, I added a prepare_metadata_for_build_wheel/editable function which uses setuptools original one and add a file there. However, when I display the metadata directory the file is created but it is not written to the resulting dist-info directory. This is a minimal example of my code:

import os

from setuptools import build_meta as _orig
from setuptools.build_meta import *

def _write_version_to_metadata(directory: str):
    # Read version string, insert a fixed one here
    # version = get_vcs_version()
    version = 'v2023.10-dev50-ghash'

    with open(
        os.path.join(directory, "version.txt"),
        "w+",
        encoding="utf-8",
    ) as file:
        file.write(version)

def prepare_metadata_for_build_editable(metadata_directory, config_settings=None):
    dist_dir = _orig.prepare_metadata_for_build_wheel(
        metadata_directory, config_settings
    )
    _write_version_to_metadata(os.path.join(metadata_directory, dist_dir))
    return dist_dir

Is there something wrong with what I'm doing? Or am I doing something which I'm not intended to do with adding an additional file to dist-info? (Basically, I'm trying to do this https://setuptools.pypa.io/en/latest/userguide/extension.html#adding-new-egg-info-files but for the new egg-less build process)

For many reasons, setuptools does not "re-use" the metadata directory, but instead tries to regenerate a consistent copy of it (also related to the fact that the code that generates the final wheel is in pypa/wheel not in pypa/setuptools).

Setuptools will try to ensure that all the files itself writes to the .dist-info in the prepare_metadata* hooks are also present in the final wheel... However, if you are overwriting the method, now this responsibility transfers over to your custom backend. Unfortunately this is absolutely non-trivial...

If you would like to contribute with the improvement in setuptools focusing in "re-using" the .dist-info directory (instead of "re-generating" it), that would be a very nice.

While we don't have that implemented, another solution would be working directly in a setuptools plugin. I suppose you could try o use https://setuptools.pypa.io/en/latest/userguide/extension.html#defining-additional-metadata. I think pypa/wheel probably will simply copy the file over to .dist-info (but that should be tested, I don't remember for sure).

If you don't need this file to be necessarily in the .dist-info directory and if you have the flexibility of write this file as a regular data file inside the package directory, you can also use a sub-command or customise an existing command https://setuptools.pypa.io/en/latest/userguide/extension.html#extending-or-customizing-setuptools. There is an example here generating custom files: https://github.com/pypa/setuptools/discussions/3762

Thank you for the answer.

Actually, your last option was what I went with. I just let the build hook create a file in the repository before I call to setuptools prepare_metadata* functions. This works fine and is good enough for my use case for now (even though I feel it would be cleaner in the .dist-info directory).

I actually tried this https://setuptools.pypa.io/en/latest/userguide/extension.html#defining-additional-metadata first and I ended up with writing build hooks because I couldn't get it to work with my pyproject.toml based setup. It felt like that this guide is outdated for the current process but maybe I just did something wrong.

I could give an improvement for re-using the .dist-info a shot. I'm not particular familiar with the setuptools code base (had a look there though when I tried to figure out why my file got lost) so it would be nice if you could point me to relevant code locations. Also I will not be able to allocate too much time rn, so it probably would take some time until I'd be ready to contribute something.

The .dist-info directory for the PEP517 metadata build hook is generated by setuptools/command/dist_info.py. However the .dist-info directory in the wheel is generated by other package (wheel).

This is one of the difficult challenges

There was a pile of PRs pending and I was kind of hopping to cut a release on the beginning of November (but I got busy...), so I just pushed a tag for 69.0.0.

This version mainly removes deprecated stuff (mostly related to pyproject.toml).
In theory the changes should be relatively safe for old packages that don't use pyproject.toml.

I haven't touched the PRs that I considered were still in the "review" stage (e.g. fixing type check errors and all the spin-offs)

Hey, just wanted to say that you're a real hero, @dreamy urchin . Not only do you contribute a tremendous amount of work for the ecosystem, but you are consistently kind, thoughtful, humble and helpful to others, which is a relatively rare combination given how much you have to deal with. Thanks for everything you do! 💛

Hi @granite flint that is really kind of you! Thank you very much for your contributions too! And all the support that you directly gave me inumerous times. You really help to make the ecosystem better.

I know there is probably not a lot of interest in mingw support, but I'd like to somehow get https://github.com/pypa/distutils/pull/184 moving again, so we can someday update to CPython 3.12.

is there a plan to integrate distutils code into setuptools properly instead of vendoring it?

I wonder what would be needed for this? Move over the test suite and CI? Anything else?

I meant integrate directly into code, not just put source files into the same repo

Hm, not sure what you mean.

I believe the question is about having that ungodly refactoring that brings the code into direct integration instead of importing from the vondored version

I'm wondering if there is much room for improvement if distutils API and the monkeypatching need to stay as is. But either way, centralizing the development seems like a step in the right direction to me. (not that my voice has much weight in this..)

i suspect the key issue will be manpower, not other stuff

yeah, exactly that. I can only imagine how hard would that be, I just wanted to know if that is on the agenda or will distutils remain a separate project forever

So -- what exactly is distutils used for?

setuptools was (kinda still is) a wrapper for the original code of distutils from stdlib

setuptools is a most elaborate monkeypatch on top of distutils ^^

It's been removed from CPython, and now it only exists as a vendored dependency in setuptools, right?

Why can't we just update setuptools to not need distutils and then archive distutils?

Oh

Uhh

Move the setuptools patches back to distutils and archive setuptools?

check out how setuptools code works. you will encounter distutils-related code like 2-3 functions deep

not that simple as well

if it was simple/easy it would have been done in a jiffy

its jarringly hard to sanely reintegrate those 2 things

honestly, I once tried to understand the setuptools code to see how hard it would be to take the extensions part and replicate it or isolate into a separate package, turned out close to impossible without hauling around a lot of legacy. "simplest" (only from code standpoint, not taking into consideration time, compatibility or users) way would be to just rewrite it entirely

So uhh... What if we archived both?
I mean, I feel bad saying we should just abandon all the time and love and energy that's gone into these tools
But the PyPA now owns.... three? PEP 517 backends?
What if we picked just one to focus our efforts on?

If we were to rewrite setuptools, what benefit does that setuptools 2.0 provide over, say, flit?

setuptools is the default and backwards compatible backend for great many projects

Flit doesn't support dynamic configuration. Or native modules.

and practically the only one that supports extension modules (like code in C/C++ etc)

And to be clear, I am speaking from almost complete ignorance
Just trying to understand the options on the table

Just meandering now, but why is that?
Are all of the other build system maintainers choosing to not implement that, or is it not currently possible?

from my point of view, until we have a PEP-standard way to declare and compile extension modules, setuptools are there to stay

it's not easy to implement, especially since that could mean even more chaos, when every build backend has their own API. also, projects like Cython or mypyc for example, base their compilation on being setuptools plugins

#extensionlib is a hope for the future, but I think it stalled for now. not sure what the plan is exactly

hi, quick question: for a python extension module I currently use setuptools as a build-backend where the extension compilation requires certain compiled components present on the system – suitesparse and sundials. the cibuuldwheel docs here mention about a build_py distutils/setuptools command class (https://cibuildwheel.readthedocs.io/en/stable/faq/#actions-you-need-to-perform-before-building) that can be used as a pre-installation script that I would like to use in my setup.py for both editable installations and building wheels (we currently provide a separate python script which we can directly integrate here then). I can include the suitesparse and sundials tarballs directly in the sdist to save users' bandwidth and allow their compilation and therefore building extensions on a platform I don't publish wheels for – but it does dramatically increase the size of my sdist from ~6 MB to around 70-80 MB. the extension in specific is a C++ solver that wraps sundials and is optional based on specific environment variables we check for in setup.py, and another thing I feel is that including the source code for suitesparse opens us up to potential software licensing issues (it is GPL-licensed while ours is BSD) – this can be bypassed by downloading the tarballs at runtime. my goal is to simplify the installation: why have two scripts when I can embed them into one and pip install can attempt to compile things up but fall back to the non-accelerated alternative if it doesn't work. in a nutshell, I want to seek opinions on embedding pre-installation scripts in sdists, the purpose of sdists viz. pre-installation, and the purpose of build_py especially in cases like this where one needs to compile something beforehand. I am an intermediate packager at best so I would appreciate thoughts from those who have expertise around this area :) thanks!

Could someone have a look at https://github.com/pypa/distutils/pull/222 ?

thank you for this! you've reminded me to do it in my projects where I test things in multiple Python versions, and sometimes I need to know how a job went for particular Python version despite others failing.

hm, would it be possible to completely replace distutils via _distutils_system_mod.py at import time?

Does anyone do this by any chance?

why do I not get this warning? https://github.com/pypa/setuptools/pull/1541
https://www.irccloud.com/pastebin/5oZjaEWc/setuptools-demo.txt

Where are setup(data_files=[...]) supposed to end up?

Oh I found them it's directly in the root of the virtual environment

Why are data_files deprecated? The note says it's unsupported in wheels but I think that's outdated because I just tried it with a wheel and it worked

The note at https://setuptools.pypa.io/en/latest/references/keywords.html says

data_files is deprecated. It does not work with wheels, so it should be avoided.

You should use package_data

Or at least, that is the advice I got a long time ago

But package_data won't let me put files outside site-packages

Why do you want to do that?

It's for a jupyter extension https://github.com/plotly/dash/pull/2749/files#diff-50c86b7ed8ac2cf95bd48334961bf0530cdc77b5a56f852c5c61b89d735fd711R75

@dusky willow ^

Does jupyter not use standard entry points based plugins? I'm not familiar with the ecosystem on that

I'm not familiar either I'm just porting the setup.py

I think it's legit to want to use the .data/data whl format feature

And this is the only way it's exposed

I don't recall, do data files get namespaced when installed?

The purpose is they are not namespaced so people can add to the same directory of stuff

the problem with data_files historically was that there was not a standard place to put them

so it was a big ??? where they would end up

Is the standard hashed out now? Could it be undeprecated?

By the way I find that files inside "package directories" work fine most of the time (at least for the same use cases that data_files is actually able to handle 100% of the times, i.e. the use cases where there are no requirements about specific paths).

The major valid concern that I saw once in the Python discourse (packaging category - https://discuss.python.org/t/should-there-be-a-new-standard-for-installing-arbitrary-data-files/7853/74) justifying data_files was the performance hit when you use entrypoints for plugin discovery.

However, you still have the ability to co-locate arbitrary files inside a single folder, if you create a namespace package.

For example, imagine you have the myapp package on PyPI that has a plugin system that allows 3rd parties to add HTML, CSS and JS files... The myapp docs can say that plugins need to add files into the myapp_assets namespace package. So when the plugins are installed, pip will place them inside the same directory (please correct me if I am wrong here).

This way you have the same benefit of data_files in terms of plugin-discovery performance, while also being able to use the extra niceties of importlib.resources.

data_files could still be useful for non-Python directories.

The ability to put files outside site-packages is considered a misfeature since it breaks the (virtual) environment abstraction. There’s still use case of course but some design would be needed to fit it into the environment layer. Or arguably software (Jupyter…) should simply not rely on system paths to begin with.

How does it break the abstraction?

oh boy, i recently ran into a module (gmsh) that put it's DLL in venv/lib/gmsh.dll rather than it's own namespace i.e venv/lib/site-packages/gmsh/gmsh.dll, that was annoying and i think such things shouldnt be legal

If you are willing to accept that such non-Python directories will be placed relative to a parent directory chosen arbitrarily by the package installer depending on the way it was invoked and/or system configurations: yeah, definetely useful for that. But that is the catch.

The only use case I know that fits this category was discovery of asset files from plugins that I discussed above (for extreme performance optimisation that you rarely see in packages). But even this use case can be solved in an alternative way, via namespace packages.

If you know any other use case, please let us know. I think this is a very nice thing to have in mind. This is the last discussion we had on the topic, as far as I remember: https://discuss.python.org/t/should-there-be-a-new-standard-for-installing-arbitrary-data-files/7853.

Kudos for Miro that compiled the main things that people ask for https://discuss.python.org/t/should-there-be-a-new-standard-for-installing-arbitrary-data-files/7853/63. As summarised in the thread, manpages and desktop files will not work out of the box if the end user employs virtual environments.

Thanks, that's helpful.

I guess it's fine for this feature to stay deprecated, but the docs still shouldn't claim that it doesn't work in wheels, since that's incorrect.

Thanks to a recent contribution the docs in setuptools were changed: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-data-files

@dreamy urchin I'm wondering, is there a easy to instruct in process way to test setuptools plugins that are supposed to generate/use artifacts and/or affect file lists for sdist

I still can't fathom a safe way to make and integration-test correct and sdists aware file finders for setuptools-scm

is there a way to pass this option via --config-settings? https://setuptools.pypa.io/en/latest/deprecated/distutils/builtdist.html#cross-compiling-on-windows

I have a workflow where we build the wheel then run wheel tags to re-tag the wheel

https://wheel.readthedocs.io/en/stable/reference/wheel_tags.html

Oh but that wouldn't allow cross compiling to a different arch bitness

oh true

yeah the issue is that a contributor switched a project of mine to pyproject.toml which broke the build for Windows

How can I use setuptools to clone a git repo that isn't a Python package? I'd like to clone a repository of C code so I can generate bindings from its headers

its not clear hat you are asking for - setuptools is neither a git client, nor a make/invoke replacement

Details here #general message

The "backward compatibility" of --config-settings is more or less like the following in setuptools (roughly equivalent):

get_requires_for* ~~> f"python setup.py {config_settings['--global-option']} egg_info" ~~> workaround to extract dependencies
prepare_metadata_for* ~> f"python setup.py {config_settings['--global-option']} dist_info --output-dir {metdata_dir} --keep-egg-info"
build_sdist ~> f"python setup.py {config_settings['--global-option']} sdist --formats gztar --dist-dir {output_dir} {config_settings['--build-option']}"
build_wheel ~> f"python setup.py {config_settings['--global-option']} bdist_wheel --dist-dir {output_dir} {config_settings['--build-option']}"
build_editable ~> f"python setup.py {config_settings['--global-option']} editable_wheel --dist-info-dir {metadata_dir / '*.dist-info'} --dist-dir {output_dir} --editable-mode {config_settings['editabe-mode']}"

(subject to human errors from my side :P)

However, please note that we cannot consider this feature stable.

The only known "stable" mechanism so far for passing configuration parameters for individual commands is via setup.cfg.
If no other tool is relying on the DIST_EXTRA_CONFIG environment variable, you can also use it to avoid modifying an existing setup.cfg and instead add an extra one.

It is not in the scope of setuptools to perform "repository clone" operations.

"Easy" probably not...
Maybe something like the following: https://github.com/pypa/setuptools/blob/v69.1.1/setuptools/tests/test_sdist.py#L750 ?

For a "heavy weight" integration test, I suppose you can call setuptools.build_meta.build_sdist and inspect the contents of the tar.gz (and the SOURCES.txt inside of it).

Thanks! I was trying to find a way to do this https://github.com/ofek/coincurve/blob/69f394a6cc57f536117a6ae4c2e596e521986c62/.github/scripts/build-windows-wheels.sh#L32

Probably something like the following:

python -m build -C "--build-option=--plat-name win_amd64"

(or a variation? The stability of this approach is not guaranteed)

A more stable solution is to add a command configuration section to setup.cfg:

[bdist_wheel]
plat_name = win_amd64

Unable to install a python package because no matching distribution found for setuptools>=40.8.0

Hey all, I have a fairly restrictive environment that I am trying to make an in-house package nice and easy to install to. The setuptools version is waaay below v60 so my existing PEP517/518 pyproject.toml-managed project proceeds to fail spectacularly when attempting to install from source (wheels are not an option 😔). Apparently doing the install inside a virtual environment with a non-ancient setuptools is "too complicated", so my next best option is to bundle a "pip freeze"'d requirements file.
Don't suppose anyone could weigh in on this before I commit myself to bundling a requirements.txt with every release?

That sounds.... weird. What is "too complicated" in using newer setuptools and virtual environment?

The end user is not technical, and iirc the environment is some old release of an enterprise linux running py36

I have chosen not to wage the war of "please fix your environment" and have consigned myself to releasing an install script.

Can you use shiv?

possibly? How well does it handle package resources (importlib.resources.files)?

It should

wow yeah that works perfectly

Just to double check: I suppose telling your user to run pipx run build is not a possibility, right?

I'm not sure why wheels are not an option though

It should work if I recall correctly

https://github.com/pypa/build/blob/0cbca17efde2a06a48ae523f9453bc7d7d8fc707/pyproject.toml#L78

It’s less that it’s not an option and more that it’s need to be delivered as source code, and they are used to just running pip install -r requirements.txt. Anything that doesn’t resemble that without reasonable justification results in a long discussion on why it’s necessary.

Building the wheel on their side was the closest to what I was originally envisioning

Put . in your requirements.txt. 😉

All I need is the ability to perform a single command build/install in an environment running py36 that doesn’t depend on anything not in stdlib by default

Or py37

The issue is that it’s using old setup tools that doesn’t like pyproject.toml managed projects.

They’re fine running pip install but on setuptools<60 that results in an empty UNKNOWN-0.0.0 being built instead of the actual project

Isn't it the version of pip that matters here (rather than setuptools)?

Afaik no. It’s setuptools that’s shitting the bed, not pip

But if you have a PEP518 project, then pip is supposed to download whatever's in your build requirements (including newer setuptools).

It’s supposed to. But from what I can tell, pip installs newer setuptools but then doesn’t use it, or fails. Googling leads me to believe that because a lot of Linux distros rely on a pinned version of python and pip, it won’t let you upgrade the versions for backwards compatibility reasons. Good example of this is upgrading pip on Ubuntu 18.04

Really? What does the install log look like?

😛

If you want to build a project using pyproject.toml you necessarily need setuptools>61.0.0 (but ideally you should use setuptools>62.5.0, at least, the higher the better), there is no other way around it.

If your Python version does not support setuptools>62.5.0, then you cannot build projects that use pyproject.toml. That is the sad truth.

is there a way to expose library and header files from ext_modules to others that install your project? so like if you did pip install somelib and you had your own extension module you could use

#include <somelib.h> // links against library properly

Specify it as a data file to go somewhere in the environment, and tell the dependant package to add that somewhere to the include path. There’s no standard around this (the entire extension dependency area is very under-specified) but I believe the convention is to put the headers under $dataroot/include

And if the downstream uses setuptools (as an example) it adds the path with Extension.include_dirs

It’s not a convention. As you said, the directory for headers in a wheel is <distribution>-<version>.data/headers/, but that’s a documented standard: https://packaging.python.org/en/latest/specifications/binary-distribution-format/

Does setuptools provide a way to put stuff in that directory, though?

Yes, I don’t use setuptools so I don’t know the option, but I know that it exists.

jupyter packages rely on the data dir, and they used setuptools before they switched to hatchling.

IIRC there’s a headers key for this

I can believe that they use the data dir, but headers?

The keyword reference doesn't list this.

It’s been a while since I did it. Use data_files or something if it’s not there. I think they all go into the same place in the end anyway.

data_files sounds right. #installer supports the headers key, so if you e.g. build a DEB/RPM/Pacman/… package using #installer, the headers will go in the right place.

https://github.com/pypa/installer/blob/4b272901f2e005b77f5580317c67eba95f26cc7d/src/installer/__main__.py#L68-L76

So if you use it, someone creating a native package from your PyPI package will simply have to run

python -m installer --destdir=... dist/*.whl

and everything will be put in the right place.
This makes it easier for people to package your library for a Linux distribution and everyone wins.

@quaint jolt started a conversation about creating a more well specified standard for this, but so far, this is the best we have.

do you have an example repo i can follow?

I guess people use include instead of headers. You can find a lot of examples: https://github.com/search?q=path%3A%2F^setup.py%24%2F+%2Fdata_files%3D%2F+%2F["']include["']%2F&type=code

E.g. pysctp: https://github.com/P1sec/pysctp/blob/d7484e885f8abc9fa30bdb7c3afa849ca49a5cd3/setup.py#L47

which results in the data being packaged like in the screenshot.

include is the more popular convention in general in C et al

That's not the same thing. It's a directory named include that's installed under the data key, not something that's installed under a key called include (which doesn't exist).

The key intended specifically for headers is called headers.

Oh OK I thought that was a repo’s source tree

sysconfig uses include though so I can see why there’s confusion

the issue for me hasn’t been the headers, it’s been making the actual shared object available to others

Isn’t platlib for this?

im really not familiar with python packaging, i just develop libraries. what does platlib do?

Is there any way to better manage the order of the finalize options hook and the setup keyword hook

Setuptools-scm is in deep trouble as depending on version and build backend the order of these hooks maybe reverse

The only thing it is implemented right now, is that it sorts the finalize hooks according to an optional .order attribute (lower numbers go first, 0 is the default)

I don't think the same is implemente for the keyword hooks.

The keyword hooks always go first than the finalize hooks

The issue i have is that users report issues with hook order, I haven't yet been able to replicate myself

distutils.setup_keywords hooks run with order=0, it is not currently possible to modify that.
setuptools.finalize_distribution_options hooks run with default order=0, but you can modify that by seting an order attribute in the function (the higher, the later it runs, you can have negative numbers too)

hooks with the same order attributed (or default 0) run according to the order they are found in the disk by importlib-metadata

(so on further analysis, my previous phrase "The keyword hooks always go first than the finalize hooks" is incorrect)

The bdist_wheel command has now been merged from wheelto setuptools and will be in the next release

this should make it much easier to work on the long-standing warts of the implementation, as there is no longer any need to coordinate and synchronize releases between the two projects

once there is a new release of setuptools with this included, I will deprecate the bdist_wheel command in wheel and ultimately remove it

Awesome!

I am currently working on migrating the wheel file handling code from wheel to packaging, overhauling and polishing the API in the process so that it'd be more palatable to other build back-ends than just setuptools

@brittle crypt I’ll try to make a branch of scikit-build-core based on the packaging PR and provide feedback soon

I am working with a package system Nixpacks

In it, the python provider is doing some unclear things:
https://github.com/railwayapp/nixpacks/blob/9fae921e719f540965347b662571311273353a1c/src/providers/python.rs#L192-L194 ({create_env} && {activate_env} && pip install --upgrade build setuptools && pip install .)

The main thing I am unsure about is pip install --upgrade build setuptools. To get you as much context as I can without you looking at the code; this step is ran if it is pip installing through a pyproject and not a requirements file. It seems to be an attempt to handle https://github.com/railwayapp/nixpacks/blob/main/examples/python-setuptools/pyproject.toml. However, I am of the understanding and opinion that this explicit install of build and setuptools is largely not required here. It doesn't seem to be needed in any way. Is it not better to just let pip figure out how to install all required dependencies on its own? Does PEP 517 make this whole line unnecessary? It really feels like it is not required here.

It isn't like there is some "build" step going on. It basically will download the dependencies and then start the python program through basically python main.py.

I have asked the maintainers and ,,, they don't know. I am sure someone knows why it was done this way. But none of the main people seem to know. The whole system is a bit of a mess in some places.

[...] but it was my impression that pip install . both built and installed the project
[...] I thought that build, at least, was how pip dealt with it
I know that setuptools isn't needed
^ from the guy who wrote this part. Not sure though if that really changes anything I said. Because it shouldn't be required to explicitly instal these dependencies? I would really appreciate it if someone could help make this behavior more clear to us

The main motivation behind all of this, is that I am looking to clean up the python provider and make some additions / improvements. So I was wondering if anyone could think of a reason why I shouldn't remove the pip install --upgrade build setuptools? Or better yet, if you have a suggestion for a better, more generalized way to handle this

yes, I think you should be fine with removing that, modern pip versions will create a isolated environment, install the requirements there, and build the package

if you have any issue tracking this in the nixpacks upstream, feel free to ping me there

it got merged! 🥳

I think its going to be very important to figure if you want to provide a nix native python or a virtualenv

All the best and a lot of patience to setuptools maintainers. The storm will pass

Anyone present here to yank the setuptools 72.0.0 update from PyPI?
https://github.com/pypa/setuptools/issues/4519

yanking is not a solution here

Why not? Mostly as a temporary solution to unblock other people's workflows

Ok, I've found the culprit was cssbeautifier which indeed used those API. I thought that project were being affected more randomly. Can't tell if that's the case right now though

I've had a report for pybind11, which doesn't look like it should fail, which is what raised that suspicion

Half a decade of deprecation is still not enough:)

it's not that it is not enough, it's just that it is too easy to disable/hide/miss deprecation warnings. we need a better deprecation system in Python overall

I suspect unless it's baked in with observability and a bubble up it's going to be missed

And I'm not aware of anyone wanting to go there

So deprecation is not enough, infrastructure to make them notable needs to be implemented everywhere

yeah, I was thinking something in line of package installers bubbling up the deprecations on installation or something

They needed to be visible in container builds,ci and more

It's so easy to just miss them in builds until the build goes up in fire

yeah

So given current tools, I suspect the only general vehicle will be something like open telemetry

Or a similar behemoth

People also tend to forget there are three levels of Deprecation warnings, with the highest level not including "Deprecation" in the name (FutureWarning) - it's the generally only one that shows up for "users". It doesn't help that pip eats output by default or that setuptools is often really verbose.

Hey Folks,
I wanted to setup setuptools locally for development, is there are guide for this? (Not very familiar with python ecosystem, wanted to hack around)

there's a developer's guide at https://setuptools.pypa.io/en/latest/development/developer-guide.html

Thanks @humble palm I was following that but I've been getting errors while running tox commands.

1. Set up a venv
2. pip install -e ".[testing,docs]"
3. After this most of the commands error out for me

Is this the correct way?

if you run tox, you don't need to set up a venv or pip install, it does that stuff for you

what tox command did you run? what error did you see?

So I'm trying to get 68.1.2 working. After using tox, initially it complained about not finding https://github.com/jaraco/build@bugfix/630-importlib-metadata, which is linked to https://github.com/pypa/build/issues/630. But that gives a 404 now. After removing that clone line, running tox resulted in a lot of test failures:

==================================== 285 failed, 1276 passed, 22 skipped, 11 xfailed, 2 xpassed, 1149 warnings, 63 errors in 155.65s (0:02:35) =====================================
py: exit 1 (156.29 seconds) /home/vyom/patching_pkgs/setuptools/noble/setuptools-68.1.2> pytest pid=71712
.pkg: _exit> python /usr/lib/python3/dist-packages/pyproject_api/_backend.py True setuptools.build_meta
  py: FAIL code 1 (175.56=setup[19.27]+cmd[156.29] seconds)
  evaluation failed :( (175.66 seconds)

what command are you running? just plain tox?

Yup, just plain tox

make sure your branch is up to date with latest main, 630-importlib-metadata was removed in August last year: https://github.com/pypa/setuptools/commit/054ca25fee90d7deaec0b30cb12680ae18464b09

are you on a fork?

I'm on the Ubuntu source package for setuptools, patching RCE CVE for setuptools

hmm, ok then it seems to be about a year old

Is there any way to recover that branch (jaraco might have it locally), but except that there's no way, right? (unless the commit can be found)

I doubt it can be recovered

I don't want to give up that fast on this. Can you help me to understand what I need to possibly do to fix the problem in https://github.com/pypa/build/issues/630. I can checkout from a commit near that date on the main branch and can maybe add the patches that the issue talks about. (screams in dependency hell)

good to hear you're giving up! you might be better off getting some help from a setuptools maintainer at this point 🙂

Hmm, I'll do some research before directly reaching out to the maintainers. Thanks for the help so far Hugo!

Old commits of setuptools may include workarounds that are bound to the situation of the ecosystem in the time they were written...

If you see a pinning in the tox.ini to a specific branch/commit, you may try to bump that dependency to the version that came immediately after the issue was solved. In general, just removing the pinning altogheter might also work.

Removing the pinning didn't work

If you tried to regenerate the tox environment without the pinning and it does not work, then you may have to find out the version where the fix was released...

So, I've been trying different commits in https://github.com/pypa/build/pull/631 to see if anyone works because they are from the branch I'm referring above to, but I'm getting an attribute error:

  File "/home/vyom/patching_pkgs/setuptools/noble/setuptools-68.1.2/.tox/py/lib/python3.12/site-packages/jaraco/packaging/metadata.py", line 8, in <module>
    source_dir: util.StrPath,
                ^^^^^^^^^^^^
AttributeError: module 'build.util' has no attribute 'StrPath'

what version of build do you have?

looking at releases, I would say you want 1.0 for that

1.0 also gives the same error

XFAIL setuptools/tests/config/test_apply_pyprojecttoml.py::test_utf8_maintainer_in_metadata[international-email] - CPython's `email.headerregistry.Address` only supports RFC 5322, as of Nov 10, 2022 and latest Python 3.11.0
XFAIL setuptools/tests/test_build_py.py::test_excluded_subpackages - reason: #3260
XFAIL setuptools/tests/test_dist.py::test_read_metadata[Metadata Version 1.2: Project-Url-attrs5] - Issue #1578: project_urls not read
XFAIL setuptools/tests/test_dist.py::test_read_metadata[Metadata Version 2.1: Provides Extra-attrs9] - provides_extras not read
XFAIL setuptools/tests/test_egg_info.py::TestEggInfo::test_requires[extras_require_with_marker_in_setup_cfg]
XFAIL setuptools/tests/test_virtualenv.py::test_pip_upgrade_from_source[pip<20.1] - pip 23.1.2 required for Python 3.12 and later
XFAIL setuptools/tests/test_virtualenv.py::test_pip_upgrade_from_source[pip<21] - pip 23.1.2 required for Python 3.12 and later
XFAIL setuptools/tests/test_virtualenv.py::test_pip_upgrade_from_source[pip<22] - pip 23.1.2 required for Python 3.12 and later
XFAIL setuptools/tests/test_virtualenv.py::test_pip_upgrade_from_source[pip<23] - pip 23.1.2 required for Python 3.12 and later
XFAIL setuptools/tests/test_virtualenv.py::test_pip_upgrade_from_source[https://github.com/pypa/pip/archive/main.zip] - #2975
XFAIL setuptools/tests/test_integration.py::test_python_novaclient

Using without any version (ig it gets latest compatible). I think some failures are expected here 🤔

Here's the full log, if someone wants to help me debug: https://gist.github.com/Vyom-Yadav/42771a7d8b1cd121452d680a4dad3c6a.

Heyo! Are y'all aware that setuptools 72.2.0 failed in the release pipeline and isn't on PyPI?