941412 – dev-python/setuptools: Please, consider reverting decision to unbundle deps

Bug 941412 - dev-python/setuptools: Please, consider reverting decision to unbundle deps

Summary: dev-python/setuptools: Please, consider reverting decision to unbundle deps

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Python Gentoo Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-10-12 16:20 UTC by Yaroslav Isakov
Modified:	2024-10-12 16:22 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yaroslav Isakov 2024-10-12 16:20:48 UTC

Hello! Please, revert the change, which unbundled setuptools deps, so tons of packages are now needed only to use very few lines from e.g. jaraco-text. These new packages are updating, even though they're deadweight, and not used by setuptools or anything else in the system. Also, more and more deps are added with every release. All of this increases chances that supply chain attack will happen. I'm pretty sure that upstream of setuptools is vendoring packages for the same reason.

Comment 1 Sam James archtester

2024-10-12 16:22:41 UTC

The code is there either way, though. It's not adding the risk of any sort of attack if the code is being used to begin with. If anything, it makes things safer as we can actually diff releases, which is impossible with massive setuptools diffs where new versions get imported with no commit history.