Date: Thu, 20 Jul 2023 13:30:32 +0000 From: Alastair Hogge <agh@riseup.net> To: "John W. O'Brien" <john@saltant.com> Cc: Charlie Li <vishwin@freebsd.org>, freebsd-python@freebsd.org Subject: Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used Message-ID: <d1d1fa36c73b62954909142d6e7ef9ea@riseup.net> In-Reply-To: <5db09e47-72ab-c883-5151-814ede4f1a13@saltant.com> References: <5d5efd920ac8c4cee835a529e528c98a@riseup.net> <64c83c5c-220e-82b0-5cf3-896318d0c788@radioprosciutto.org> <1fb8943b-45a7-6553-e5cc-5bb2658d29b3@freebsd.org> <5db09e47-72ab-c883-5151-814ede4f1a13@saltant.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2023-07-20 20:02, John W. O'Brien wrote: > On 7/20/23 00:32, Charlie Li wrote: >> John W. O'Brien wrote: >>> For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match the port name [3]. >>> >>> [2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2 >>> [3] https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddb >> Please don't do that unless you are performing name normalisation [0]. While this case involves the unfortunate death of the original author and maintainer, changing the metadata in this manner is still a lapse in software supply chain security/integrity, considering the wider Python package ecosystem's (most visibly in PyPI) chequered history in this area. >> >> [0] https://packaging.python.org/en/latest/specifications/name-normalization/ >> > > How would you have us handle this instead? Ah you may have missed the update[1] to the bug report. I have not yet had a chance to start on a patch. 1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262906#c9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d1d1fa36c73b62954909142d6e7ef9ea>