On 7/20/23 09:30, Alastair Hogge wrote:
On 2023-07-20 20:02, John W. O'Brien wrote:On 7/20/23 00:32, Charlie Li wrote:John W. O'Brien wrote:For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match the port name [3].[2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2 [3] https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddbPlease don't do that unless you are performing name normalisation [0]. While this case involves the unfortunate death of the original author and maintainer, changing the metadata in this manner is still a lapse in software supply chain security/integrity, considering the wider Python package ecosystem's (most visibly in PyPI) chequered history in this area. [0] https://packaging.python.org/en/latest/specifications/name-normalization/How would you have us handle this instead?Ah you may have missed the update[1] to the bug report. I have not yet had a chance to start on a patch. 1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262906#c9
Do we expect that Lextudio's PEP 541 request to take over the PyPI package names is going to be denied? If not, it means we expect the upstream source names to change to match the current port names, and renaming now will require renaming again later. I struggle to see how incurring that churn serves the interests of "software supply chain security/integrity" at all. The decision to use the Lextudio source or not is the consequential one.
OpenPGP_0x33C4D64B895DBF3B.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
