Re: [Distutils] How to install examples files?

[Thomas Kluyver]

If I recall correctly, 'pip install --target' works by installing into a
temporary directory, then copying only the library part to the target
directory. So it will throw away any docs/examples/scripts that would be
installed outside the importable package.

On Tue, Apr 10, 2018, at 10:08 PM, Michael Schwager wrote:
> It looks like the following setup.py will do what I want, but it won't
> install the examples when I use --target:> 
> from setuptools import setup, find_packages
> from codecs import open
> from os import path
> 
> with open(path.join('.', 'README.md'), encoding='utf-8') as f:
>long_description = f.read()
> 
> setup(
>name='kivydnd',
>version='0.5.0',
>description='Kivy Drag-n-Drop for Widgets',
>long_description=long_description,
>long_description_content_type='text/markdown',
>url='https://github.com/GreyGnome/KivyDnD',
>author='GreyGnome',
>author_email='mschw...@gmail.com',
>license='Apache License 2.0',
>keywords='kivy drag-n-drop',
>packages=find_packages(exclude=[]),
>data_files=[('share/kivydnd-examples',
>[
>'examples/dndexample1.py',
>'examples/dndexample2.py',
>'examples/dndexample3.py',
>'examples/dndexample_copy_draggable.py',
>'examples/dndexample_drop_groups.py',
>'examples/dndexample_relative_layout.py',
>'examples/example_base_classes.py',
>'examples/example_base_classes.pyc',
>]
>)],
> )
> 
> 
> On Sat, Apr 7, 2018 at 12:48 AM, Michael Schwager
>  wrote:>> Hello,
>> I am trying to install a module with a package and also an examples
>> directory. How do I get my examples installed on users' machines into
>> a reasonable location, in a cross-platform kind of way?>> 
>>  I notice that a number of Python examples are installed in
>>  /usr/share (in Linux) or in
>>  \AppData\Local\Programs\Python\Python36\Share on Windows 8.>> 
>> So in my setup.py, I have this:
>> 
>> from setuptools import setup, find_packages
>> from codecs import open
>> from os import path
>> 
>> with open(path.join('.', 'README.md'), encoding='utf-8') as f:
>>long_description = f.read()
>> 
>> setup(
>>name='kivydnd',
>>version='0.5.0',
>>description='Kivy Drag-n-Drop for Widgets',
>>long_description=long_description,
>>long_description_content_type='text/markdown',
>>url='https://github.com/GreyGnome/KivyDnD',
>>author='GreyGnome',
>>author_email='myem...@example.com',
>>license='Apache License 2.0',
>>keywords='kivy drag-n-drop',
>>packages=find_packages(exclude=[]),
>>data_files=[('share/kivydnd-examples',
>>['examples/dndexample1.py',])],>> )
>> 
>> But when I try to install them on Linux, I don't see the
>> dndexample1.py file anywhere:>> 
>> python setup.py sdist
>> pip install --target=/home/schwager/lib/python dist/kivydnd-
>> 0.5.0.tar.gz --log /tmp/piplog>> 
>> (Note that I am using a different target for testing).
>> 
>> The piplog shows that it at least tried to do something with the
>> examples, but I can find a directory by that name anywhere in my home
>> directory:>> 
>> 
>>creating /tmp/tmpirrDx8/share/kivydnd-examples
>>copying examples/dndexample1.py -> /tmp/tmpirrDx8/share/kivydnd-
>>examples>> 
>> Thanks!
>> -- 
>> -Mike Schwager
>> 
> 
> 
> 
> -- 
> -Mike Schwager
> _
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Execute command before pip install

[Jorge Maldonado Ventura]

I need to execute a command automatically when running `pip install` to 
solve https://notabug.org/jorgesumle/boot-em-all/issues/1


I need to do that to compile the translation files. I found that 
overriding the `setuptools.command.install` makes it work with `python3 
setup.py install`, but I want it to work with pip as well. Any advice or 
think I overlooked? Is there a clean or recommended way to do this?


The whole code is free software, so you can check my `setup.py` file. 
The repository can be cloned executing `git clone 
https://notabug.org/jorgesumle/boot-em-all`.


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] setuptools package rpm issue

[xiaojun....@nnct-nsn.com]

hi，
When i use the latest python version 3.6.5 to package the setuptools 
version 39.0.1 to rpm,the os is readhat 6.5.i have some problem.
I use blow command to package it:
python3 setup.py bdist_rpm   --requires "Python3-nsn" --no-autoreq --packager 
"xiaojun@nnct-nsn.com" --binary-only

 Then the error occured,the error messages is like this:
Processing files: setuptools-39.0.1.post20180411-1.noarch
error: Two files on one line: 
/usr/local/python3/lib/python3.6/site-packages/setuptools/script
error: File must begin with "/": (dev).tmpl
error: Two files on one line: 
/usr/local/python3/lib/python3.6/site-packages/setuptools/command/launcher
error: File must begin with "/": manifest.xml


RPM build errors:
Two files on one line: 
/usr/local/python3/lib/python3.6/site-packages/setuptools/script
File must begin with "/": (dev).tmpl
Two files on one line: 
/usr/local/python3/lib/python3.6/site-packages/setuptools/command/launcher
File must begin with "/": manifest.xml
error: command 'rpmbuild' failed with exit status 1

 I search the internet,and found this 
url:https://stackoverflow.com/questions/26718001/cannot-create-setuptools-rpm-error-two-files-on-one-line#
 . I followed it ,and found the above two files in the 
./build/bdist.linux-x86_64/rpm/BUILD/setuptools-39.0.1.post20180411/INSTALLED_FILES
 file,there are spaces.
 Can you fix it?


Email:xiaojun@nnct-nsn.com

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] providing a way for pip to communicate extra info to users

[Pradyun Gedam]

On Tue, 10 Apr 2018, 05:17 Chris Jerdonek,  wrote:

> On the pypa-dev Google group, a suggestion was raised about giving pip
> a way to communicate extra info to users.
>
> This was during a thread started by Matthew Brett about pip breaking
> for certain macOS users due to certain TLS changes ("Impending silent
> breakage of pip / macOS likely to cause severe confusion"). Donald
> said this behavior is governed by PEP 503 and that the topic was best
> discussed on distutils-sig:
> https://groups.google.com/d/msg/pypa-dev/Oz6SGA7gefo/RRXQBQSBBAAJ
> so I'm raising the suggestion here to continue the discussion.
>
> One of Donald's comments in response to the idea (and that occurred to
> me too and that I agree with) is that providing a way to communicate
> messages to users introduces another possible avenue for attack.
>
> A possible middle-ground could be to hard-code a message in pip. Pip
> could display the message in certain circumstances, e.g. in response
> to certain types of failures. For example, the message could tell
> users to check a certain URL maintained by PyPA for further
> information / possible announcements.
>
> What do people think?
>

I like the idea.

I think linking to a location where we can make informative comments would
be a good idea — ideally where we can show announcements reverse
chronologically.

I don’t know how relevant they are but scenarios where this would help,
that come to my mind are:

- Status Page: "pypi.org is undergoing an incident and installations may
fail. You can find more information at status.python.org."
- Major Features: for things like PEP 517 when it's released. "There's
news. Have a look at pypi.org/news" or something like that.


> --


> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] providing a way for pip to communicate extra info to users

[Paul Moore]

On 11 April 2018 at 17:32, Pradyun Gedam  wrote:
> On Tue, 10 Apr 2018, 05:17 Chris Jerdonek,  wrote:
[...]
>> A possible middle-ground could be to hard-code a message in pip. Pip
>> could display the message in certain circumstances, e.g. in response
>> to certain types of failures. For example, the message could tell
>> users to check a certain URL maintained by PyPA for further
>> information / possible announcements.
>>
>> What do people think?
>
>
> I like the idea.
>
> I think linking to a location where we can make informative comments would
> be a good idea — ideally where we can show announcements reverse
> chronologically.
>
> I don’t know how relevant they are but scenarios where this would help, that
> come to my mind are:
>
> - Status Page: "pypi.org is undergoing an incident and installations may
> fail. You can find more information at status.python.org."

For HTTP type responses, which is what I understood Chris' question to
be about, this seems like a good approach to me - the index can supply
a response that triggers pip to report a message. "The index XXX
reported an issue - for more information see XXX/status". That would
need a PEP 503 change to say that an index can trigger this message by
sending a certain response code, and that if an index does send that
code, it must provide additional information at its /status page.

> - Major Features: for things like PEP 517 when it's released. "There's news.
> Have a look at pypi.org/news" or something like that.

For these, I was thinking about this in the context of how we announce
releases like pip 10. Maybe something like this would better fit as an
addition to the pip selfcheck code - so that as well as checking for a
newer version, pip would also check for a "Message of the day" at a
known URL and display it if there is one. That gives us a way to
announce releases or betas, or upcoming deprecations, in a way that
reaches every pip user (at least every one who's connected to the
internet!) It's a bit intrusive, so I think it's critical that we use
it sparingly, but it would be good to have at least some channel that
reaches everyone. I don't think it's something we'd want to use for
transient issues like pypi outages, for instance.

Paul
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Execute command before pip install

[John Thorvald Wodder II]

> On 2018 Apr 11, at 06:55, Jorge Maldonado Ventura  
> wrote:
> 
> I need to execute a command automatically when running `pip install` to solve 
> https://notabug.org/jorgesumle/boot-em-all/issues/1
> 
> I need to do that to compile the translation files. I found that overriding 
> the `setuptools.command.install` makes it work with `python3 setup.py 
> install`, but I want it to work with pip as well. Any advice or think I 
> overlooked? Is there a clean or recommended way to do this?
> 
> The whole code is free software, so you can check my `setup.py` file. The 
> repository can be cloned executing `git clone 
> https://notabug.org/jorgesumle/boot-em-all`.

This can't be done.  `pip install` installs from wheel (.whl) files, and that 
installation process currently (and, I believe, by design) has no provision for 
running arbitrary code.  You have two options:

1. Extend the `setup.py bdist_wheel` command to compile & bundle the 
translation files as part of building the wheel.  I personally don't know how 
to do this, but I believe the process is somewhat similar to extending the 
`setup.py install` command.  Note that if the compiled translation files are 
architecture-dependent, you'll also need to add the appropriate tags to the 
wheel.

2. Give your library a `boot_em_all_compile_translations` command for compiling 
the translation files, which the user must then run manually after installation.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Execute command before pip install

[Brett Cannon]

On Wed, 11 Apr 2018 at 10:36 John Thorvald Wodder II 
wrote:

> > On 2018 Apr 11, at 06:55, Jorge Maldonado Ventura <
> jorgesu...@freakspot.net> wrote:
> >
> > I need to execute a command automatically when running `pip install` to
> solve https://notabug.org/jorgesumle/boot-em-all/issues/1
> >
> > I need to do that to compile the translation files. I found that
> overriding the `setuptools.command.install` makes it work with `python3
> setup.py install`, but I want it to work with pip as well. Any advice or
> think I overlooked? Is there a clean or recommended way to do this?
> >
> > The whole code is free software, so you can check my `setup.py` file.
> The repository can be cloned executing `git clone
> https://notabug.org/jorgesumle/boot-em-all`
> .
>
> This can't be done.  `pip install` installs from wheel (.whl) files, and
> that installation process currently (and, I believe, by design) has no
> provision for running arbitrary code.  You have two options:
>

Yep, it's by design to make installation as fast as copying some files from
a zip file.


>
> 1. Extend the `setup.py bdist_wheel` command to compile & bundle the
> translation files as part of building the wheel.  I personally don't know
> how to do this, but I believe the process is somewhat similar to extending
> the `setup.py install` command.  Note that if the compiled translation
> files are architecture-dependent, you'll also need to add the appropriate
> tags to the wheel.
>
> 2. Give your library a `boot_em_all_compile_translations` command for
> compiling the translation files, which the user must then run manually
> after installation.
>
>
Another option is to look at PEP 517-compatible tools like Enscons which
will give you more control over the wheel compilation process without
having to try to hack your way into Setuptools.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] providing a way for pip to communicate extra info to users

[Nathaniel Smith]

On Mon, Apr 9, 2018, 16:47 Chris Jerdonek  wrote:

>
> One of Donald's comments in response to the idea (and that occurred to
> me too and that I agree with) is that providing a way to communicate
> messages to users introduces another possible avenue for attack.


I agree that this is worth thinking about, but having thought about it I'm
having trouble coming up with a threat model where it creates additional
exposure?

If someone takes over package distribution, that's obviously a far more
serious problem. A messaging mechanism could amplify such an attack by
encouraging people to install the compromised packages – but pip's existing
check for new pip versions can also do that. Or if we have a mechanism for
securing package updates, like TUF, then presumably we can use it to
protect the MOTD as well?

-n
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] providing a way for pip to communicate extra info to users

[Paul Moore]

On 11 April 2018 at 20:16, Dwight Hubbard  wrote:
> It would be useful as well for sites that run their own mirror
> infrastructure to be able to add motd text to the pip commands as well.
>
> However I don't think this should be implemented via the response code from
> a call to some rest api.  It would be trivial to proxy the call to a
> different location and send a different message.  Any implementation would
> need some way to sign and verify the message as authentic.

-1 on explicit signing and verification of messages. The
infrastructure needed for that is more than the feature warrants.

HTTPS access to the index server is fundamental to pip - if an
attacker can subvert that, they don't need to mess with a message,
they can just replace packages. So I don't see that displaying a
message that's available from that same index server is an additional
vulnerability, surely? But I'm not a security expert - I'd defer to
someone like Donald to comment on the security aspects of any proposal
here.

Paul
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Summary of PyPI overhaul in new LWN article

[Sumana Harihareswara]

Today, LWN published my new article "A new package index for Python".
https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX
and developer experience changes in the 15+ years since PyPI's founding,
new features (and deprecated old features) in Warehouse, and future
plans. Plus: screenshots!

If you aren't already an LWN subscriber, you can use this subscriber
link for the next week to read the article despite the LWN paywall.
https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/

This summary should help occasional Python programmers -- and frequent
Pythonists who don't follow packaging/distro discussions closely --
understand why a new application is necessary, what's new, what features
are going away, and what to expect in the near future. I also hope it
catches the attention of downstreams that ought to migrate.

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig