Remove the Safety scanner from the pre-commit hooks and GitHub action (…

…#33)

.github/workflows/tox.yml

@@ -30,7 +30,6 @@ jobs:
       - name: Install dependencies
         run: poetry install -v
       - name: Upgrade embedded tools within virtualenv
-        # Safety will alert on these even though they aren't technically dependencies
         run: poetry run pip install --upgrade pip setuptools wheel
       - name: Run Tox test suite
         run: poetry run tox -c .toxrc -e "checks,coverage"

.pre-commit-config.yaml

@@ -35,13 +35,6 @@ repos:
         entry: poetry run isort .
         pass_filenames: false
         language: system
-  - repo: local
-    hooks:
-      - id: system
-        name: Safety
-        entry: poetry run safety check
-        pass_filenames: false
-        language: system
   - repo: local
     hooks:
       - id: system

.tabignore

@@ -1,4 +1,6 @@
 Changelog
 notes/reward.xlsx
+notes/safety/license.png
+notes/safety/usage.png
 docs/Makefile
 docs/make.bat

Changelog

@@ -1,3 +1,7 @@
+Version 0.1.35     unreleased
+
+	* Remove the Safety scanner from the pre-commit hooks and GitHub action.
+
 Version 0.1.34     14 Nov 2021
 
 	* Adjust dependencies and build process to support Python 3.10.

DEVELOPER.md

@@ -19,7 +19,11 @@ library for screen drawing.
 
 This project uses [Poetry](https://python-poetry.org/) to manage Python packaging and dependencies.  Most day-to-day tasks (such as running unit tests from the command line) are orchestrated through Poetry.  
 
-A coding standard is enforced using [Black](https://github.com/psf/black), [isort](https://pypi.org/project/isort/) and [Pylint](https://www.pylint.org/).  Python 3 type hinting is validated using [MyPy](https://pypi.org/project/mypy/).  To reduce boilerplate, classes are defined using [Attrs](https://www.attrs.org/) (see this [rationale](https://glyph.twistedmatrix.com/2016/08/attrs.html)).  Additional code security standards are enforced [Safety](https://github.com/pyupio/safety).
+A coding standard is enforced using [Black](https://github.com/psf/black), [isort](https://pypi.org/project/isort/) and [Pylint](https://www.pylint.org/).  Python 3 type hinting is validated using [MyPy](https://pypi.org/project/mypy/).  To reduce boilerplate, classes are defined using [Attrs](https://www.attrs.org/) (see this [rationale](https://glyph.twistedmatrix.com/2016/08/attrs.html)).  
+
+## Vulnerability Scanning
+
+Previously, I used the Safety scanner as part of my pre-commit hooks and GitHub actions, to identify vulnerabilities in Python dependencies.  This functionality was removed in [PR #33](https://github.com/pronovic/apologies/pull/33).  Even though Safety is distributed under the liberal [MIT license](notes/safety/license.png), and the PyPI package page [documents that Safety can be used in this manner](notes/safety/usage.png), the PyUp organization behind Safety now claims that this usage is not allowed.  (See this [bizarre email thread](notes/safety/email.md) — it has some hallmarks of a phishing email, but appears to be legitimate.)  Despite my repeated attempts to clarify what I was doing wrong, PyUp's representative never offered any specifics.  Given PyUp's unfriendly behavior, I recommend that you avoid using Safety and rely instead on other tools, such as GitHub's own Dependabot service.
 
 ## Continuous Integration (CI)
 
@@ -362,22 +366,6 @@ source ~/.bash_profile
 |Make console active on message in stderr|_Checked_|
 |Output filters|`$FILE_PATH$:$LINE$:$COLUMN.*`|
 
-##### Run Safety Checks
-
-|Field|Value|
-|-----|-----|
-|Name|`Run Safety Checks`|
-|Description|`Run the Safety code checks`|
-|Group|`Developer Tools`|
-|Program|`$ProjectFileDir$/run`|
-|Arguments|`safety`|
-|Working directory|`$ProjectFileDir$`|
-|Synchronize files after execution|_Checked_|
-|Open console for tool outout|_Checked_|
-|Make console active on message in stdout|_Unchecked_|
-|Make console active on message in stderr|_Unchecked_|
-|Output filters|_Empty_|
-
 #### Windows
 
 On Windows, PyCharm has problems invoking the `run` script, even via the Git
@@ -432,22 +420,6 @@ can be used instead.
 |Make console active on message in stderr|_Checked_|
 |Output filters|`$FILE_PATH$:$LINE$:$COLUMN.*`|
 
-##### Run Safety Checks
-
-|Field|Value|
-|-----|-----|
-|Name|`Run Safety Checks`|
-|Description|`Run the Safety code checks`|
-|Group|`Developer Tools`|
-|Program|`powershell.exe`|
-|Arguments|`-executionpolicy bypass -File utils\tools.ps1 safety`|
-|Working directory|`$ProjectFileDir$`|
-|Synchronize files after execution|_Checked_|
-|Open console for tool outout|_Checked_|
-|Make console active on message in stdout|_Unchecked_|
-|Make console active on message in stderr|_Unchecked_|
-|Output filters|_Empty_|
-
 ## Release Process
 
 ### Documentation

docs/requirements.txt

@@ -3,7 +3,7 @@ astroid==2.8.5; python_version >= "3.6" and python_version < "4.0"
 atomicwrites==1.4.0; python_version >= "3.6" and python_full_version < "3.0.0" and sys_platform == "win32" or sys_platform == "win32" and python_version >= "3.6" and python_full_version >= "3.4.0"
 attrs==21.2.0; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0")
 babel==2.9.1; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.6"
-backports.entry-points-selectable==1.1.1; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "2.7"
+backports.entry-points-selectable==1.1.1; python_version >= "2.7" and python_full_version >= "3.6.1"
 black==21.10b0; python_full_version >= "3.6.2"
 cattrs==1.8.0; python_version >= "3.7" and python_version < "4.0"
 certifi==2021.10.8; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version >= "3.6"
@@ -13,15 +13,14 @@ click==8.0.3; python_version >= "3.6" and python_full_version >= "3.6.2"
 colorama==0.4.4; sys_platform == "win32" and python_version >= "3.6" and python_full_version >= "3.6.2" and platform_system == "Windows" and python_version < "4.0" and (python_version >= "3.6" and python_full_version < "3.0.0" and sys_platform == "win32" or sys_platform == "win32" and python_version >= "3.6" and python_full_version >= "3.5.0")
 coverage==6.1.2; python_version >= "3.6"
 coveralls==3.3.1; python_version >= "3.5"
-distlib==0.3.3; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0"
+distlib==0.3.3; python_full_version >= "3.6.1"
 docopt==0.6.2; python_version >= "3.5"
 docutils==0.17.1; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
-dparse==0.5.1; python_version >= "3.5"
-filelock==3.3.2; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
+filelock==3.3.2; python_full_version >= "3.6.1" and python_version >= "3.6"
 identify==2.3.5; python_full_version >= "3.6.1"
 idna==3.3; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version >= "3.6"
 imagesize==1.3.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.6"
-importlib-metadata==4.8.2; python_version < "3.8" and python_version >= "3.6" and (python_version >= "3.6" and python_full_version < "3.0.0" and python_version < "3.8" or python_full_version >= "3.5.0" and python_version < "3.8" and python_version >= "3.6") and python_full_version >= "3.6.2"
+importlib-metadata==4.8.2; python_version < "3.8" and python_version >= "3.6" and (python_version >= "3.6" and python_full_version < "3.0.0" and python_version < "3.8" or python_full_version >= "3.5.0" and python_version < "3.8" and python_version >= "3.6") and python_full_version >= "3.6.2" and (python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6")
 iniconfig==1.1.1; python_version >= "3.6"
 isort==5.10.1; python_full_version >= "3.6.1" and python_version < "4.0"
 jinja2==3.0.3; python_version >= "3.6"
@@ -34,13 +33,13 @@ nodeenv==1.6.0; python_full_version >= "3.6.1"
 packaging==21.2; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
 pathspec==0.9.0; python_full_version >= "3.6.2"
 pendulum==2.1.2; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0")
-platformdirs==2.4.0; python_version >= "3.6" and python_version < "4.0" and python_full_version >= "3.6.2" and (python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6")
+platformdirs==2.4.0; python_version >= "3.6" and python_version < "4.0" and python_full_version >= "3.6.2"
 pluggy==1.0.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
 pre-commit==2.15.0; python_full_version >= "3.6.1"
 py==1.11.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
 pygments==2.10.0; python_version >= "3.6"
 pylint==2.11.1; python_version >= "3.6" and python_version < "4.0"
-pyparsing==2.4.7; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.3.0" and python_version >= "3.6"
+pyparsing==2.4.7; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
 pytest-testdox==2.0.1; python_version >= "3.5"
 pytest==6.2.5; python_version >= "3.6"
 python-dateutil==2.8.2; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0"
@@ -49,8 +48,7 @@ pytzdata==2020.1; python_version >= "2.7" and python_full_version < "3.0.0" or p
 pyyaml==6.0; python_version >= "3.6" and python_full_version >= "3.6.1"
 regex==2021.11.10; python_full_version >= "3.6.2"
 requests==2.26.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version >= "3.6"
-safety==1.10.3; python_version >= "3.5"
-six==1.16.0; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0"
+six==1.16.0; python_full_version >= "3.6.1"
 snowballstemmer==2.1.0; python_version >= "3.6"
 sphinx-autoapi==1.8.4; python_version >= "3.6"
 sphinx==4.3.0; python_version >= "3.6"
@@ -69,4 +67,4 @@ unidecode==1.3.2; python_version >= "3.6"
 urllib3==1.26.7; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version < "4" and python_version >= "3.6"
 virtualenv==20.10.0; python_full_version >= "3.6.1"
 wrapt==1.13.3; python_version >= "3.6" and python_full_version < "3.0.0" and python_version < "4.0" or python_version >= "3.6" and python_version < "4.0" and python_full_version >= "3.5.0"
-zipp==3.6.0; python_version < "3.8" and python_version >= "3.6"
+zipp==3.6.0; python_version < "3.8" and python_version >= "3.6" and (python_version >= "3.6" and python_full_version < "3.0.0" and python_version < "3.8" or python_full_version >= "3.5.0" and python_version < "3.8" and python_version >= "3.6") and python_full_version >= "3.6.1"

notes/safety/email.md

@@ -0,0 +1,120 @@
+# Safety Vulnerability Scanner
+
+## Vulnerability Scanning
+
+Previously, I used the Safety scanner as part of my pre-commit hooks and GitHub actions, to identify vulnerabilities in Python dependencies.  This functionality was removed in [PR #33](https://github.com/pronovic/apologies/pull/33).  Even though Safety is distributed under the liberal [MIT license](license.png), and the PyPI package page [documents that Safety can be used in this manner](usage.png), the PyUp organization behind Safety now claims that this usage is not allowed.  (See the bizarre email thread captured below — it has some hallmarks of a phishing email, but appears to be legitimate.)  Despite my repeated attempts to clarify what I was doing wrong, PyUp's representative never offered any specifics.
+
+## PyUp Email
+
+```
+From: Tristan Laurillard <tristan@pyup.io>
+Date: Thu, Nov 25, 2021 at 4:50 PM
+Subject: Using Safety in your GitHub projects
+
+Hi Kenneth,
+
+My name is Tristan Laurillard, I work for PyUp.
+
+I see on Github that you are utilizing PyUp Safety in some of your projects.
+Although we are always grateful to see that people find our service useful, I
+am sorry to inform you of some unfortunate news…
+
+Our free service can not be used for commercial or closed-source purposes. We
+are in the process of making various changes to enforce this, and, regrettably,
+need to ask you to stop integrating our service with your projects because they
+do allow commercial use.
+
+Even if your projects did not allow any commercial use, we still would ask you
+to remove the code that queries our database as there are too many commercial
+teams that ignore such license limitations.
+
+Would you please write me back once you have removed PyUp Safety from your
+projects?
+
+Greetings from Salt Spring Island,
+
+Tristan Laurillard
+Operations Manager
+PyUp.io
+
+----
+
+From: Kenneth Pronovici
+Date: Thu, Nov 25, 2021 at 6:07 PM
+Subject: Re: Using Safety in your GitHub projects
+To: Tristan Laurillard <tristan@pyup.io>
+
+I don't think I understand. All of my code distributed at github.com/pronovic
+is open source, under either GPL v2 (in one case) or Apache 2.0, and all of my
+repos are public.  I'm the sole copyright owner in most cases, and certainly
+there is no business that has any part in maintaining this code. What
+commercial use are you referring to, specifically?
+
+----
+
+From: Tristan Laurillard <tristan@pyup.io>
+Date: Fri, Nov 26, 2021 at 12:55 PM
+Subject: Re: Using Safety in your GitHub projects
+To: <pronovic.com>
+
+Hello,
+
+Even if your code does not allow commercial use, we still do not want others to
+pass on our service.
+
+Here is where I looked:
+uci-parse / LICENSE
+apologies / LICENSE
+cedar-backup3 / LICENSE
+
+All three say:
+
+Permissions
+✔ Commercial use
+
+Tristan
+
+----
+
+From: Kenneth Pronovici
+Date: Fri, Nov 26, 2021 at 2:33 PM
+Subject: Re: Using Safety in your GitHub projects
+To: Tristan Laurillard <tristan@pyup.io>
+
+Of course those licenses say that commercial use is allowed.  That's the entire
+point of an open source license - anyone can use the code regardless of their
+field of endeavor.  Any license that does discriminate against a specific field
+of endeavor (like making a distinction between commercial vs. non-commercial
+use of a Python library) is not open source, by definition.
+
+I use Safety as a build time dependency (to run checks as part of my pre-commit
+hooks and in my GitHub action), and it's not used or exposed at all to anything
+that uses my code as a dependency or a command line tool.  The only time Safety
+would ever be used is if someone clones the repo and tries to run the test
+suite, or when they submit a PR and the GitHub action runs.  Technically, the
+dependency is referenced (but not used) by readthedocs.io because of the
+doc-specific requirements.txt file they need for their build process.  So, I
+can't see how I could possibly be passing on your service to others in a legal
+sense.  
+
+What, specifically, is wrong with this usage of Safety?
+
+----
+
+From: Tristan Laurillard <tristan@pyup.io>
+Date: Fri, Nov 26, 2021 at 3:40 PM
+Subject: Re: Using Safety in your GitHub projects
+
+Hi Kenneth,
+
+I too wish there would be the option to look for wiggle room or to discuss the
+nuances, but unfortunately there is no way around the policy of our company. We
+really must ask you to stop using Safety inside your GitHub code.
+
+We allow the usage of Safety in some scenarios but not in others. The way you
+are using Safety is ― I am very sorry ― just not allowed.
+
+Tristan Laurillard
+Operations Manager
+PyUp.io
+```

pyproject.toml

@@ -39,7 +39,6 @@ black = "^21.10b0"
 mypy = "^0.910"
 isort = "^5.10.0"
 sphinx-autoapi = "^1.8.4"
-safety = "^1.10.3"
 coveralls = "^3.3.1"
 
 [tool.black]