PEP 621: Migrate from setup.{py, cfg} to pyproject.toml #315
Conversation
|
This is awkward... I may be biased, but I prefer my #307 PR, which also includes the migrations but with dynamic version (based on cpplint.py) and dependencies (based on the dependency listing files). (I also read in pytest docs that they prefer storing settings in .pytest.ini so that's what I did.) My PR would also automatically use the newest Python. (I also don't see reason to drop EOL Python versions for no reason; I think we should only drop it when something becomes an issue. And by "issue" I mean things like the EOL 3.7 not having the walrus operator.) |
Not really the main subject of the PR; would overlap with #315 anyways.
Sorry about that, I've realized the issue now: newer versions of Pylint you need don't support 3.9. So I support bumping minimum to 3.9 now. |
|
I believe we should all push projects to not build on foundations that no longer receive security updates.
|
You create pull requests under one username and review pull requests on the same repository under a different username? Seems duplicitous. |
I accidentally merged a PR that broke everything once; I started a PR to fix that. As @jayvdb (the only other active maintainer) is not active and the PR sat for weeks, I started doing that and jayvdb doesn't seem to mind. |
This is not something that happened just once. I find a repeated duplicitous and dangerous pattern of eight pull requests created by @norab0130 and approved and merged by @aaronliu0130 when the same person controls both accounts.
This repeated pattern intentionally circumvents the supply chain security policy of this repo that a maintainer who is not the author reviews and approves every pull request before it is merged. This policy is standard for Google and most other widely installed software tools. If anyone thinks this is not a problem, they are not paying enough attention to software supply chain security issues. The code in this repo is not owned by one person but is instead the work of many that needs to be treated safely and with respect. If a maintainer is not paying enough attention to review pull requests on widely deployed production code, then one or more new maintainers must be added to the project. Actions: I have the commit-bit for my previous work on this repo.
EDIT: |
|
This is the only place where I've used that account for this purpose, as someone from a "pgrouting" repository started complaining about the errors on the development branch. No problem not using that account if there's other active maintainers around to use that account. I'm happy for you, an active maintainer, to review my pull requests from now on! |
| optional-dependencies.test = [ | ||
| "parameterized", | ||
| "pytest", | ||
| "pytest-cov", | ||
| "pytest-timeout", | ||
| "testfixtures", | ||
| "tox<5", | ||
| ] | ||
| optional-dependencies.testing = [ | ||
| "parameterized", | ||
| "pytest", | ||
| "pytest-cov", | ||
| "pytest-timeout", | ||
| "testfixtures", | ||
| "tox<5", | ||
| ] |
There was a problem hiding this comment.
Rebasing rn, is there a reason the text extra was duplicated lol
There was a problem hiding this comment.
.test, .testing, and .dev all existed in setup.py so I replicated them in pyproject.toml (plus requirements files) to be sure I did not break anything.
Once we merge the open pre-commit PRs the only tools we will need in .dev will be pytest-related. At that point, we can drop .test and .testing and just have dev.
The other issue is that the version is hard coded in both pyproject.toml and in Python code. That should be fixed by making version dynamic in pyproject.toml and read out of the Python code.
https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
Migrate
setup.pytosetup.cfgusing setuptools-py2cfg plus manual modifications. Then migratesetup.cfgtopyproject.tomlusing ini2toml to do the file conversion and running pyproject-fmt and then validate-pyproject to validate the results.