Re: [sage-devel] Re: [Proposal] allow standard packages to be pip packages, reduce source tarball size

Sat, 01 Jun 2024 10:03:29 -0700 


On 1 June 2024 15:50:56 CEST, Nathan Dunfield <nat...@dunfield.info> wrote:
>On Friday, May 31, 2024 at 11:38:34 AM UTC-5 Dima Pasechnik wrote:
>
>Before looking at 
>https://groups.google.com/g/sage-devel/c/lPLoA7zaoyg/m/dGE1B1jQEQAJ
>we should look at this proposal again, as pytest is a very suitable 
>candidate for the kinds of packages (standard pip packages)
>proposed here.
>
>
>Indeed, nothing (save for a very marginal case of a complete offline 
>install - and this can be helped if there is a will to allow such packages)
>is gained by mechanically adding the  pytest dependencies into Sage the 
>distro. 
>
>
>And doing this an extra code bloat, with stuff we don't patch, and don't 
>even know what's there.
>E.g. we can add a backdoored,or otherwise broken, version of one of these 
>into the distro, giving it extra legitimacy for no reason.
>
>
>If we kept pytest as a pip package, and did not explicitly add its 
>additional dependencies (iniconfig and exceptiongroup), that makes it 
>harder to quickly check whether a backdoored/broken package is even part of 
>Sage.
Once you have backdoored core in your project, the onus is on you to clean up 
the mess.
So it's better not to have the unknown to you code in the project. We don't 
want to take on extra responsibility like this.

Only "real" distros (Linux distros, Conda, etc) keep their own copies of pytest.
I don't know any Python project that does the same.
Please don't pull Sage towards being a "real" distro.
This shifts the focus away from what the project is about.

>
>Also, in the original discussion in this thread in February, some argued 
>that there was no reason to pin the version of pytest.  As Matthias points 
>out elsewhere, since then the release of pytest 8.* broke Sage's 
>preliminary pytest support [1]. 

we can pin versions of (optional) pip packages, so this doesn't seem to be a 
problem.
Such pinning can be done very quickly - if needed.

Dima

>
>Best,
>
>Nathan
>
>[1] https://github.com/sagemath/sage/pull/37999
>

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/68740A91-331C-4190-A432-5DA3FB499E7C%40gmail.com.























					Reply via email to