Please don't use setup.py (and some other dependency-related thoughts) #894
Labels
type:improvement
Small improvement of existing feature
zone:environment
Tasks related with development environment or production environment setup
Feature category
Dependency management.
Problem description
Using
setup.py
should generally be avoided if there are some declarative options.For this project, I see numerous alternatives. https://github.com/CERT-Polska/mwdb-core/blob/16bbb2cf15f7401391602376d85aa0f6c5f3eabc/setup.py can be easily rewritten entirely into a
pyproject.toml
file that follows the packaging guide strongly recommended by PyPA.Moreover,
setup.py
is known for posing some serious security concerns, such as the ones covered in this pretty interesting "TOP 8 Malicious Attacks Recently Found on PyPI" article. Many of those attacks simply base off on that simple mechanism of setup.py running arbitrary code on the user's end.This might be concerning especially nowadays, when some people use ChatGPT and similar chatbots to write code for them, but those make up library names that can later on become malware (Mateusz Chrobok had a good take on that).
Some projects do have a reason to run some code that is needed to completely build the project, like in pandas, or to navigate a user better to improve the DX, like in Django, but it's not like that in this case.
The current requirements.txt file doesn't allow security updates. Considering the fact that most of these packages seem to follow the SemVer convention, it would be nice to allow the latest PATCH versions (excluding those dependencies that don't follow SemVer—are there any?).
The solution I'd like
While jumping between branches, I saw this branch https://github.com/CERT-Polska/mwdb-core/tree/use-poetry with commits from @psrok1. Poetry's
pyproject.toml
does not yet conform to PEP 621, but this seems to be currently worked on. What is the status of that initiative of migrating to Poetry?Also considerable
Simply migrating to a declarative,
pyproject.toml
-based dependency specification, and usingsetuptools_scm
,hatch
or really any other suitable backend.The text was updated successfully, but these errors were encountered: