Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used

Reply: Alastair Hogge : "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
In reply to: Charlie Li : "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John W. O'Brien <john_freebsd-python_at_radioprosciutto.org>
Date: Thu, 20 Jul 2023 12:02:23 UTC

On 7/20/23 00:32, Charlie Li wrote:
> John W. O'Brien wrote:
>> For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match 
>> the port name [3].
>>
>> [2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2
>> [3] 
>> https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddb
> Please don't do that unless you are performing name normalisation [0]. 
> While this case involves the unfortunate death of the original author 
> and maintainer, changing the metadata in this manner is still a lapse in 
> software supply chain security/integrity, considering the wider Python 
> package ecosystem's (most visibly in PyPI) chequered history in this area.
> 
> [0] 
> https://packaging.python.org/en/latest/specifications/name-normalization/
> 

How would you have us handle this instead?