an alternative to setup.py

Question

setup.py has one significant problem:

it can not be parsed securely

This leads to a lot of problems - it can not be securely analysed, reading 100k+ packages from PyPI requires too much overhead, source packages can not be automatically converted to native system formats like Debian and Fedora etc.

So, are there any alternatives for packaging Python source that use static data format (not setup.py) for describing and wrapping their contents? So that a source package is just a .zip file of source checkout, which does not require magic with build steps.

setuptools maybe? http://stackoverflow.com/questions/6344076/differences-between-distribute-distutils-setuptools-and-distutils2 — myaut, May 03 '15 at 06:38
This doesn't directly answer your question, but you can create an rpm with `python setup.py bdist_rpm`. Not deb though. — cdarke, May 03 '15 at 06:38
If you are pulling packages from PyPI without audit you already have a security risk; somebody with a debian keyring needs to decide that it is a trusted package. — Neapolitan, May 16 '16 at 21:08

score 0 · Answer 1 · answered May 03 '15 at 12:59

0

Python wheels are the answer to the problems you describe: http://pythonwheels.com/

However, at the time of writing many projects do not supply wheels (but you can build them yourself.)

answered May 03 '15 at 12:59

wouter bolsterlee

3,879
22
30

an alternative to setup.py

1 Answers1