From nobody Thu Jul 20 13:30:32 2023 X-Original-To: freebsd-python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R6D8l0nfVz4nPG9 for ; Thu, 20 Jul 2023 13:30:47 +0000 (UTC) (envelope-from agh@riseup.net) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.riseup.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R6D8k43kqz3CHP; Thu, 20 Jul 2023 13:30:46 +0000 (UTC) (envelope-from agh@riseup.net) Authentication-Results: mx1.freebsd.org; none Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4R6D8h4fLYzDrCQ; Thu, 20 Jul 2023 13:30:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1689859844; bh=49twdfPkwbrRdo/hYqvq6bUI+Bm8TsTLRfYZSlbeCwI=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ZUYLPghDcJnvq3fPz1Zw3UWMhIz/XfgUliXJSWB6lSxj7ji/Da1x9VhMCEd2F1j6S 59oCP49uciBita05zD6HGVYkihA+u0ORXqiQYpRzTZunitPy518Y210aa2T7LKWp3q YgTOpgStxS1ZmVxIR9RbIDSiqGDC9l8HFO4w5b1A= X-Riseup-User-ID: 94222A0EEA4B533CA5510CB705B80F7E63EC772022B673A38419EC035538AEA0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4R6D8T2MB9zFqk0; Thu, 20 Jul 2023 13:30:33 +0000 (UTC) List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-python@freebsd.org X-BeenThere: freebsd-python@freebsd.org MIME-Version: 1.0 Date: Thu, 20 Jul 2023 13:30:32 +0000 From: Alastair Hogge To: "John W. O'Brien" Cc: Charlie Li , freebsd-python@freebsd.org Subject: Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used In-Reply-To: <5db09e47-72ab-c883-5151-814ede4f1a13@saltant.com> References: <5d5efd920ac8c4cee835a529e528c98a@riseup.net> <64c83c5c-220e-82b0-5cf3-896318d0c788@radioprosciutto.org> <1fb8943b-45a7-6553-e5cc-5bb2658d29b3@freebsd.org> <5db09e47-72ab-c883-5151-814ede4f1a13@saltant.com> Message-ID: Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4R6D8k43kqz3CHP X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16652, ipnet:198.252.153.0/24, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On 2023-07-20 20:02, John W. O'Brien wrote: > On 7/20/23 00:32, Charlie Li wrote: >> John W. O'Brien wrote: >>> For net-mgmt/py-pysmi, I also had to patch pyproject.toml [2] to match the port name [3]. >>> >>> [2] https://github.com/lextudio/pysnmp/blob/v5.0.28/pyproject.toml#L2 >>> [3] https://cgit.freebsd.org/ports/diff/net-mgmt/py-pysmi/files/patch-pyproject.toml?id=718622a56caf647e137c7896197e0d6b17dedddb >> Please don't do that unless you are performing name normalisation [0]. While this case involves the unfortunate death of the original author and maintainer, changing the metadata in this manner is still a lapse in software supply chain security/integrity, considering the wider Python package ecosystem's (most visibly in PyPI) chequered history in this area. >> >> [0] https://packaging.python.org/en/latest/specifications/name-normalization/ >> > > How would you have us handle this instead? Ah you may have missed the update[1] to the bug report. I have not yet had a chance to start on a patch. 1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262906#c9