This Engineering Notebook post briefly summarizes the challenges in distributing Leo on pypi.
PRs #3834 <https://github.com/leo-editor/leo-editor/pull/3834> and #3835 <https://github.com/leo-editor/leo-editor/pull/3835> (both drafts) contain the relevant code. *New security restrictions* All files uploaded to pypi and testpypi must have unique filenames *and* contents. *These new constraints are reasonable. *Code repositories such as GitHub and pypi are under continuous, sustained, sophisticated attacks from state-sponsored terrorists. The goal is to insert malware in legitimate software such as Leo. *These new constraints require new scripts.* A few hours of experience showed that new scripts are mandatory. I now have private scripts called build-leo, upload-leo, install-leo and uninstall-leo. These scripts will eventually become part of the leo/scripts directory. *Further work* *- Automatically create unique filenames using **public version ids* <https://packaging.python.org/en/latest/specifications/version-specifiers/#public-version-identifiers>. The build script might use a private helper file in my home directory. - *Automatically insert a timestamp in leoVersion.py*. This timestamp will ensure that the contents of each build will be unique. The build script (or a helper) will update these ids and timestamps *without* changing Leo's version number. PR3 uses a version number of 6.7.8.1, but that's likely a temporary expedient. *Bugs* I yanked Leo 6.7.8 from pypi because the Python wheel was dangerous: it sprayed the *sub-folders *of the leo-editor/leo folder inside Python's site-packages folder!! Happily, `pip uninstall leo` undid the damage! I am cycling between two bugs. The first creates no "leo" package in the "site-packages" folder; the second damages "site-packages" as described above. Presumably, pyproject.toml needs only a tweak, but I'm tearing out my hair trying to find it! *Summary* Right now, `pip install leo` installs Leo 6.7.7, not Leo 6.7.8. The bugs described above are release blockers. It is no longer possible to create or debug pypi distributions without using helper scripts. Those scripts are my next project. *I would greatly appreciate help debugging either PR*. My *guess* is that pyproject.toml needs only a tweak, but finding that tweak has not been easy!!! Edward P.S. Both PRs remove setup.py. That's not strictly necessary, but removing setup.py should simplify distribution in the long run. EKR -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to leo-editor+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/leo-editor/0ebe5f1e-1a8c-4ba1-a2bd-34f4f4704296n%40googlegroups.com.
