-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing more external dependencies for stubs #90
Comments
I feel like this is related. In python/typeshed#9511 I tried to use Seeing python/mypy#14737 makes me wanna request allowing those for stub_uploader as well, but that's only growing the list. (unless you wanna directly depend on, and trust, mypy's On the note of more relaxed criteria and catching more non-wheel declared dependencies without running arbitrary code, maybe #88 would help ? |
typeshed-internal/stub_uploader#90 Co-authored-by: Audrey Dutcher <[email protected]>
Currently, We should also consider moved the allowlist out of the metadata.py file into a data file to separate code from data. |
Although there is the danger of a hacked maintainer account adding a dependency on |
Okay, here is a suggestion. We allow:
Edit 2: Also, on upload of a package with outside dependencies, we reverse check whether there are other typeshed packages that depend on this that don't have the required outside dependencies in their allowlist. |
To illustrate the implications of this proposal: currently 6 typeshed packages depend on
All of these currently pull in To clarify the proposal here: would we still allow these typeshed packages to depend on |
At least the latter, yes. They don't necessarily need to list it in their METADATA requirements, as there's no necessity to make it into their dependency field in the package. |
I can see the attraction of making allowlists per-package. The way that It will probably mean more busywork for us to maintain per-package allowlists in a separate repo, but I think it's probably worth it. |
We could also add back a general allowlist for very popular packages in addition to the per-package allowlist if this proves to be too much busywork at a later date. If we put the allowlist into an external file, we should keep that possibility in mind when deciding on a format. |
Currently, we're quite strict about what external dependencies stubs can use. We have a small allowlist here:
stub_uploader/stub_uploader/metadata.py
Line 166 in b81ba3c
Briefly, the reason for this is a) Python packages can execute arbitrary code at install time, b) type checkers sometimes install stub packages automatically, c) stub packages are quite popular, d) users likely expect stub packages to be inert
So what would it take to remove the allowlist? We already have an important additional check in stub uploader: we ensure that external dependencies of a stub package must be a dependency of the upstream package. However, there's still a hole, in that stub dependencies of stub packages are not currently checked.
To spell things out, this is the scenario that we're concerned about:
Once we plug this hole, we could maybe get rid of the allowlist or have much more relaxed criteria.
This has been discussed in a couple places, mainly #61 (comment). I'm writing this up here as a way to easily communicate the current status quo to typeshed contributors.
Plugging the hole is a pretty easy change to make to stub_uploader, see diff here:
However, typeshed currently has twelve stubs that fail this test:
So it may be that there's some reasonable improvement that could be made to the check that works for these twelve packages. Or maybe we can just require these specific stubs to have individualised exceptions committed to stub_uploader. Or maybe it's not super viable to plug this hole and we need to keep the allowlist forever.
(Also note that the implementation of the check in that diff^ isn't perfect, since it only works for projects that are on PyPI and have wheels, and only checks the dependencies of the latest version)
The text was updated successfully, but these errors were encountered: