An example using alpine (it seems some packages sporadically include
the dist-info folders):  There is some more recent info here
https://peps.python.org/pep-0627/

/ # apk add py3-pip
(1/6) Installing py3-six (1.16.0-r3)
(2/6) Installing py3-retrying (1.3.3-r3)
(3/6) Installing py3-parsing (3.0.9-r0)
(4/6) Installing py3-packaging (21.3-r2)
(5/6) Installing py3-setuptools (65.6.0-r0)
(6/6) Installing py3-pip (22.3.1-r1)
Executing busybox-1.35.0-r29.trigger
OK: 82 MiB in 34 packages
/ # pip install pyparsing==3.0.9
Requirement already satisfied: pyparsing==3.0.9 in
/usr/lib/python3.10/site-packages (3.0.9)

In the above example, pip refuses to double-install pyparsing only
because of the dist-info file, however lots of directly pip installed
packages produce egg-info folders instead as a I guess those are
installed from source by pip.  Debian could produce dist-info folders
for those instead.

Just thinking out-loud

Ian

On Sun, 12 Feb 2023 at 08:18, Ian Norton <inor...@gmail.com> wrote:
>
> https://packaging.python.org/en/latest/specifications/recording-installed-packages/
> defines the python spec where a package such as pyparsing would create
> a tree of files under:
> site-packages/pyparsing-3.0.9-dist-info/  including RECORD which is
> essentially a sha256-based manifest of files and some others.
>
> On Sun, 12 Feb 2023 at 08:12, Ian Norton <inor...@gmail.com> wrote:
> >
> > You've made me wonder if it would be feasible to have a debian-centric
> > tool that populates .dist-info from debs?
> >
> > On Sun, 12 Feb 2023 at 08:05, Ian Norton <inor...@gmail.com> wrote:
> > >
> > > I requested this kind of thing from the pip folks as
> > > https://github.com/pypa/pip/issues/11644 and others have requested
> > > similar, such as https://github.com/pypa/pip/issues/11607
> > >
> > > On Sun, 12 Feb 2023 at 04:56, Philippe Cerfon <philc...@gmail.com> wrote:
> > > >
> > > > Hey.
> > > >
> > > > I hope this is not too off topic.
> > > >
> > > > As far as I understand, dh-python, when building packages somehow
> > > > automatically uses the Debian package names and even prevents e.g.
> > > > setuptools from downloading any dependencies by setting a (hopefully
> > > > not running) proxy.
> > > >
> > > >
> > > > I wondered whether it's possible to make tools like pip and setuptools
> > > > directly use the Debian python packages when resolving dependencies.
> > > >
> > > > The main motivation are security constraints, so I had to configure
> > > > pip so that it cannot just download packages from PyPI (which is
> > > > rather easy, simply setting no-index in pip.conf).
> > > >
> > > > But then of course it also fails to e.g. do an editable install of a
> > > > locally developed package, when it tries to resolve the dependencies.
> > > >
> > > > So I wondered whether it's possible to prevent pip from downloading
> > > > any remote stuff, while still resolving dependencies (respectively
> > > > consider them as being resolved) *if* the package is locally installed
> > > > from the Debian archive?
> > > > (If a dependency isn't installed from a package it may of course fail.)
> > > >
> > > >
> > > > Thanks,
> > > > Philippe.
> > > >
> > > > PS: Please keep me CCed.
> > > >

Reply via email to