Hey,
On Fri, Jun 26, 2026 at 03:45:13PM +0200, [email protected] wrote:
> here's a quick ('n'dirty?) port for
> https://bandit.readthedocs.io/en/latest/ and its dependency
> https://opendev.org/openstack/stevedore, i've used it on some python
> codebases and it nicely flags potential security issues in the code.
>
> oks/tests/improvements ?
I tweaked devel/py-stevedore/pkg/DESCR a little bit (remove a stray '_',
add an empty line between the two paragraphs and run it through fmt).
The new file is attached, feel free to use it if you want.
The indenting of RUN_DEPENDS and TEST_DEPENDS in the bandit Makefile
looks a bit funny, can you fix that?
make test works fine for the stevedore port, even though there's the
"# missing stestr ?" comment in the Makefile.
https://pypi.org/project/stestr/ suggests that stestr is a tool that can
be used to execute the tests, but apparently the tests also run without?
In that case I guess the comment can be removed.
In the case of bandit, 3 tests fail because of some missing Python
modules (git, bs4 and sarif_om). Installing py3-beautifulsoup4 solves
the middle one, I'm not sure how to fix the other two.
Besides that it looks good to me and it works well.
Caspar
Python makes loading code dynamically easy, allowing you to configure
and extend your application by discovering and loading extensions
("*plugins*") at runtime. Many applications implement their own
library for doing this, using ``__import__`` or ``importlib``.
stevedore avoids creating yet another extension mechanism by building
on top of `setuptools entry points`. The code for managing entry
points tends to be repetitive, though, so stevedore provides manager
classes for implementing common patterns for using dynamically
loaded extensions.