On Fri, May 24, 2013 at 09:55 -0400, Donald Stufft wrote: > On May 24, 2013, at 9:54 AM, holger krekel <[email protected]> wrote: > > > On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote: > >> On May 24, 2013, at 7:17 AM, Vinay Sajip <[email protected]> wrote: > >> > >>>> From: holger krekel <[email protected]> > >>> > >>> > >>>> > >>>> Nice. How do you actually get at the dependencies? Don't you > >>>> need to execute setup.py for that? > >>>> > >>> > >>> Yes, that's how it's done. However, the idea is to do it once per > >>> uploaded release and remember the results, so an installer tool like pip > >>> doesn't have to download and run setup.py every time :-) > >> > >> So what you're saying is I can root your machine with a setup.py? ;) > > > > That's the immediate risk, indeed :) However, i guess one could use a VM > > with a chroot and a dedicated user and timeout the setup after 20 seconds > > or so to regain some safety. It's a bit horrible but OTOH i'd really > > like to have this information (especially the deps) without requiring > > everybody to switch to a new packaging format first. > > > > holger > > Most packages also have an egg-info inside of them you can parse. > > Of course the issue is that you're only going to get the requirements of the > system that ran setup.py, either the authors or the servers. Which doesn't > accurately represent all of the dependencies all of the time.
True but maybe it would go a long way for most packages. I need dep information mostly for finding out in which dep configuration a package's tests ran successfully. I guess just installing it into a fresh env and "pip freeze" it with some platform info might more directly suit my needs. best, holger > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
