Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used

Reply: Charlie Li : "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
In reply to: Alastair Hogge : "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John W. O'Brien <john_freebsd-python_at_radioprosciutto.org>
Date: Thu, 20 Jul 2023 14:02:39 UTC

On 7/20/23 09:30, Alastair Hogge wrote:
> On 2023-07-20 20:02, John W. O'Brien wrote:
>> On 7/20/23 00:32, Charlie Li wrote:
>>> John W. O'Brien wrote:
>>>> For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match the port name [3].
>>>>
>>>> [2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2
>>>> [3] https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddb
>>> Please don't do that unless you are performing name normalisation [0]. While this case involves the unfortunate death of the original author and maintainer, changing the metadata in this manner is still a lapse in software supply chain security/integrity, considering the wider Python package ecosystem's (most visibly in PyPI) chequered history in this area.
>>>
>>> [0] https://packaging.python.org/en/latest/specifications/name-normalization/
>>>
>>
>> How would you have us handle this instead?
> 
> 
> Ah you may have missed the update[1] to the bug report. I have not yet
> had a chance to start on a patch.
> 
> 1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262906#c9

Do we expect that Lextudio's PEP 541 request to take over the PyPI 
package names is going to be denied? If not, it means we expect the 
upstream source names to change to match the current port names, and 
renaming now will require renaming again later. I struggle to see how 
incurring that churn serves the interests of "software supply chain 
security/integrity" at all. The decision to use the Lextudio source or 
not is the consequential one.