[BUG] Setuptools allow arbitrarily wrong configs in setup.cfg
#4913
Comments
|
|
|
It goes back even further, PBR (nee oslo.packaging for a brief moment) was a fork of d2to1, which implemented support for |
|
I have seen a different one than description-file, |
|
The I suppose these examples raise a question: should other packaging tools and SetupTools plugins be allowed to extend setup.cfg with their own directives alongside SetupTools use of the same file? Apparently some do, and have for years. The heritage of setup.cfg files goes back beyond PBR/d2to1/Distutils2 to the original distutils which relied on it for declarative configuration decades before SetupTools (re)copied that design (you'll find references to setup.cfg files for distutils in documentation from 2001, possibly earlier). Allowing and ignoring unrecognized entries has provided backward-compatibility with existing packages already relying on this functionality for a very long time. |
This is something that needs to be part of the investigation for this issue. We don't want to break other tools. I suspect we should allow any keywords defined via This issue only applies to the |
It seems this is not enough: https://inspector.pypi.io/project/pbr/6.1.1/packages/47/ac/684d71315abc7b1214d59304e23a982472967f6bf4bde5a98f1503f648dc/pbr-6.1.1-py2.py3-none-any.whl/pbr-6.1.1.dist-info/entry_points.txt#line.4 So we may have to find another alternative. |
What you are still missing here despite the hundreds of thousands of man hours of disruption you caused globally yesterday is that you also don't want to break your own tool. Given all the existing packages out there that have config keys that setuptools doesn't recognise, accepting those unknown keys isn't a bug, it is very much a feature. At the very most you should log a warning that setuptools is ignoring them. |
It seems evident to me that the answer here is: setuptools should not attempt to validate fields that don't belong to it. Let them be as right or as wrong as they please, it's not setuptools' place to tell them they are doing something wrong. Either that, or else setuptools should declare that anyone passing arguments to a setuptools plugin is "in the wrong" and should be punished for it by failure. But setuptools has historically considered at least passing arbitrary plugin-defined kwargs to |
Thanks @eli-schwartz, I was hopping that we could find a way to identify when it is safe to assume the field was intended to be consumed by setuptools. I do appreciate that it would be a huge challenge. For now this issue is in the stage of "brainstorming" the possibilities. The problem of simply ignoring invalid fields is that users potentially think their configuration is doing something when it is not and then they end up publishing defective artifacts. Moreover, I suppose users would appreciate if they did not have to spend 5h debugging their package to find out that they should have written |
The way I see the tradeoff is, new packages don't get failure messages until further down the pipeline when debugging is harder (a few hours of work for a single developer, or a small group), or breaking the whole ecosystem when a deprecation becomes a removal (a few hours of work for hundreds or thousands of developers). Some tools, like It is not as if there is much choice by the downstream consumers. We have to use It looks like we are discussing governance in a bug ticket again. Do we want to move this conversation, or keep it here? |
You have two distinct use cases here:
Provided setuptools can tell the difference (is there some context here you can use?), you could choose to validate more strictly under scenario #1 and be extremely permissive under scenario #2. This would solve your problem of "then they end up publishing defective artifacts" vs. breaking consumers at (I think providing version constraints, backwards-compatibility guarantees, and branching strategies to cope with backporting critical/CVE fixes is somewhat outside the scope of this issue.) |
The issue in #4910 unveiled something much deeper.
It seems that setuptools has been allowing arbitrary fields (like
description_filedescribed in #4910) insetup.cfg(possibly without a visible warning -- needs investigation)1.Expected outcome
Setuptools should issue a deprecation warning when a invalid field in used in
setup.cfg.Footnotes
Funny thing is that issue [BUG] Version 78.0.1 breaks install of ansible-vault package #4910 always involves
description-file. I find it hard to believe that it is a coincidence, possibly many packages CTRC+C, CTRL+V the same config all over the place. ↩The text was updated successfully, but these errors were encountered: