Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 941412

Summary: dev-python/setuptools: Please, consider reverting decision to unbundle deps
Product: Gentoo Linux Reporter: Yaroslav Isakov <yaroslav.isakov>
Component: Current packagesAssignee: Python Gentoo Team <python>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Yaroslav Isakov 2024-10-12 16:20:48 UTC 
Hello! Please, revert the change, which unbundled setuptools deps, so tons of packages are now needed only to use very few lines from e.g. jaraco-text. These new packages are updating, even though they're deadweight, and not used by setuptools or anything else in the system. Also, more and more deps are added with every release. All of this increases chances that supply chain attack will happen. I'm pretty sure that upstream of setuptools is vendoring packages for the same reason.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-10-12 16:22:41 UTC 
The code is there either way, though. It's not adding the risk of any sort of attack if the code is being used to begin with. If anything, it makes things safer as we can actually diff releases, which is impossible with massive setuptools diffs where new versions get imported with no commit history.