On Sun, Jun 17, 2012 at 12:24 PM, Tres Seaver <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/15/2012 11:01 PM, Richard Jones wrote: >> "impossible to safely extract requirements in a 100% generic way." >> >> It has nothing to do with it being the de facto standard and >> everything to do with executing untrusted code on pydotorg systems >> with no guarantee that we'll even get the setup.py to work in our >> environment anyway. >> >> Sent from my portable device, please excuse the brevity. On Jun 16, >> 2012 2:41 AM, "Chris Withers" <[email protected]> wrote: >> >>> On 13/06/2012 13:20, Donald Stufft wrote: >>> >>>> setuptools is a non standard addition to Python packaging which is >>>> impossible to safely extract requirements in a 100% generic way. > > You can avoid executing 'setup.py' by looking for 'requires.txt' in the > egg-info directory within the sdist.
Except that sdists don't have egg-info directories, presumably because egg-info can depend on the environment the project is installed in. For example, it's not unheard of for dependencies to depend on the Python version (e.g. json). Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton Jerky is better than bacon! http://zo.pe/Kqm _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
