[Buildroot] [PATCH v3 6/8] package/python-fastapi-sessions: new package

Wed Dec 27 04:07:27 UTC 2023

On Tue, Dec 26, 2023 at 3:26 AM <yann.morin at orange.com> wrote:
>
> James, All,
>
> On 2023-12-25 17:47 -0700, James Hilliard spake thusly:
> > On Mon, Dec 25, 2023 at 1:24 PM Thomas Petazzoni
> > <thomas.petazzoni at bootlin.com> wrote:
> > > On Thu, 14 Dec 2023 09:54:18 -0700
> > > James Hilliard <james.hilliard1 at gmail.com> wrote:
> > > > Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
> > > I am applying this series, and I have a few questions on this patch.
> > > They won't prevent applying the patch, they are more for my
> > > curiosity/understanding.
> [--SNIP--]
> > > > +     select BR2_PACKAGE_PYTHON_PYDANTIC # runtime
> > > I indeed see pydantic imported in two places:
> [--SNIP--]
> > > However, it's not listed in setup.py or pyproject.toml, even as an
> > > optional dependency. Is this an upstream "bug" ?
> > I see it in setup.py here:
> > https://github.com/jordanisaacs/fastapi-sessions/blob/be4126938011abd709fa18e9d9fc8a54c66a2130/setup.py#L12
>
> So, indeed it is visible in setup.py that is on github. But what we are
> using is the tarball we retrieve from PyPi [0]. And if you look in that
> tarball, you'll notice a few things;
>
>  1. pydantic is indeed neither in setup.py nor in pyproject.toml, as
>     they are in the archive on PyPi;
>
>  2. the setup.py from PyPi differs from the one on Gihub;

Hmm, yeah, I'm guessing the setup.py on pypi was autogenerated by poetry
and replaced the setup.py on github.

>
> Also, looking at the github repository;
>
>  3. the project has not tag for 0.3.2, even though the commit
>     be4126938011 (update version) from 2021-09-11 seems to match, both
>     in date and content;
>
>  4. the only commit since then was to mark the project untmaintained
>     as of 2022-01-27;
>
>  5. the repository has been marked "archived" on github as of
>     2023-12-06, as noted on the top banner on the github browser for the
>     projet: https://github.com/jordanisaacs/fastapi-sessions
>         This repository has been archived by the owner on Dec 6, 2023.
>         It is now read-only.
>
> So, it means that we now use a project that is unmaintained, and has
> discrepancy between what is available on gihub vs. what is puclished on
> PyPi.
>
> Is there a newer upstream location, or someone who actually forked the
> project and maintains it elsewhere?

I've not come across one yet, it was only recently archived and still seems
to work fine so probably there just hasn't been much incentive for a fork yet.

>
> If not, is it really interesting for Buildroot to have just added a new
> package that is known to be mothballed, and for which we will never see
> any fix (security or otherwise), and which has no users in Buildroot?

I added it since I have a project pulling it in as a dependency, I'll try and
keep an eye out for a replacement and remove/replace it once no longer
used.

>
> [0] this is one of the reason I do not like that we use archives
>     published on PyPi, and I thinkt we should instead be using the
>     packages from the true, official source: as we can see above, we
>     have no guarantee that what is on PyPi is indeed what we can see
>     on the public forge, and can cause quite some grievance when
>     debugging issues, as this package nicely demontrates.

Well...python's normal dependency management tools pull from pypi so
those are typically the versions that are actually expected by dependent
packages.

There's also projects that would be quite difficult to build from the github
sources due to having to generate sources and such using non-standard
tooling in order to build the pypi sdist releases.

For example building python-selenium from the github sources would
require us to add support for the bazel build system due to it making use
of bazel for generating various source files that get added to the sdist.

>
> Regards,
> Yann E. MORIN.
>
> --
>                                         ____________
> .-----------------.--------------------:       _    :------------------.
> |  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
> |                 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
> | +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
> | yann.morin (at) orange.com           |_="    ,--' | / \ HTML MAIL    |
> '--------------------------------------:______/_____:------------------'
>
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.