John W. O'Brien wrote:
For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match the port name [3].Please don't do that unless you are performing name normalisation [0]. While this case involves the unfortunate death of the original author and maintainer, changing the metadata in this manner is still a lapse in software supply chain security/integrity, considering the wider Python package ecosystem's (most visibly in PyPI) chequered history in this area.[2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2[3] https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddb
[0] https://packaging.python.org/en/latest/specifications/name-normalization/
-- Charlie Li …nope, still don't have an exit line.
OpenPGP_signature
Description: OpenPGP digital signature
