this post was submitted on 06 Apr 2025

116 points (97.5% liked)

Python

7000 readers

3 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

📅 Events

Past

November 2023

PyCon Ireland 2023, 11-12th
PyData Tel Aviv 2023 14th

October 2023

PyConES Canarias 2023, 6-8th
DjangoCon US 2023, 16-20th (!django 💬)

July 2023

PyDelhi Meetup, 2nd
PyCon Israel, 4-5th
DFW Pythoneers, 6th
Django Girls Abraka, 6-7th
SciPy 2023 10-16th, Austin
IndyPy, 11th
Leipzig Python User Group, 11th
Austin Python, 12th
EuroPython 2023, 17-23rd
Austin Python: Evening of Coding, 18th
PyHEP.dev 2023 - "Python in HEP" Developer's Workshop, 25th

August 2023

PyLadies Dublin, 15th
EuroSciPy 2023, 14-18th

September 2023

PyData Amsterdam, 14-16th
PyCon UK, 22nd - 25th

🐍 Python project:

💓 Python Community:

#python IRC for general questions
#python-dev IRC for CPython developers
PySlackers Slack channel
Python Discord server
Python Weekly newsletters
Mailing lists
Forum

✨ Python Ecosystem:

🌌 Fediverse

Communities

#python on Mastodon
c/django on programming.dev
c/pythorhead on lemmy.dbzer0.com

Projects

Pythörhead: a Python library for interacting with Lemmy
Plemmy: a Python package for accessing the Lemmy API
pylemmy pylemmy enables simple access to Lemmy's API with Python
mastodon.py, a Python wrapper for the Mastodon API

Feeds

founded 2 years ago

MODERATORS

[email protected]

116

Python now has a standard package lock file format – though winning full adoption will be a challenge (devclass.com)

submitted 1 week ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

all 19 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 5 days ago

i'm sad to report

wreck 0.3.4.post0 no longer emits build front end options into .lock files wreck#30.

Background of efforts to beg and plead for setuptools maintainers to bend ever so slightly.

Continuing from denied way to pass build front end options thru requirement files so know non-pypi.org hosts setuptools#4928

This hurts those hosting packages locally or remotely on non-pypi.org package index servers. For those who are, the packages themselves give no clue where the dependencies and transitive packages are hosted.

Each and every user would need to have a ~/.pip/pip.conf or pass --extra-index-url pip install cli option. And somehow know all the possible package index servers.

This allows the pypi.org cartel to continue along it's merry way unimpeded.

Wish pep751 good luck and may there be a .unlock equivalent. Do not yet understand how the pep751 implementers will bypass setuptools and build.

[–] [email protected] 24 points 1 week ago* (last edited 1 week ago)

Oh finally.

The news on this is mixed. “All the tool authors have signaled they can and would implement the PEP as an export format,” said Cannon, but that does not mean they would adopt it as their sole lock file format. The creator of uv, Charlie Marsh, said that “today, the PEP 751-style pylock.toml files are not sufficient to replace uv.lock,” but that support will be added for export.

This sounds little better then "here is 13th standard" even though it's not feature full.

[–] [email protected] 12 points 1 week ago (1 children)

https://xkcd.com/927/

[–] [email protected] 14 points 1 week ago* (last edited 1 week ago)

nah, the main reason we have 15 standards was the lack of an official one. This is good.

[–] [email protected] 3 points 1 week ago (1 children)

Here I am still using requirements.txt and the built in venv. Sure poetry looks cool. I just don't have it everywhere. Now I just have to wait 5 years before I can reliably use a pylock.toml. Progress!

[–] [email protected] 1 points 5 days ago* (last edited 5 days ago)

i love requirements files, venv, and pyenv.

Bringing requirements into pyproject.toml does not have enough value add to bother with. My requirements files are hierarchical. Extensively using -r and -c options AND venv aware.

pep751 does bring value, by stating both the host url and the hash of every package.

setuptools will fight this to continue their strange hold on Python

[–] [email protected] 2 points 1 week ago (1 children)

How is this different from regular dependencies?

[–] [email protected] 0 points 5 days ago* (last edited 5 days ago)

Regular dependencies lack host url and hashes. Those are most important.

For the full details, encourage you to read pep751

^^ look a link! Oh so clickable and tempting. Go ahead. You know that pretty blue font-color is just asking for it. And after clicking the font-color changes colors. Wonder what font-color it'll become? Hmmmm

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (3 children)

Viva la package dependencies!

Does it do away with setuptools? After my experience interacting with the maintainers, now refer to that package as, The Deep State

The Deep State only supports loading dependencies from pypi.org Which has many advantages right up until it doesn't.

This new standard contains dependency host url. Hope there is a package other than setuptools that supports it.

When bring it up, and prove it, the responses alternate between playing dumb and gaslighting. The truth is The Deep State are gate keepers. And they are in the way.

Training wheels off mode please! So there is support for requirements files that contain on which server dependencies are hosted with more than one choice. Would like the option to host packages locally or remotely using pypiserver or equivalent.

On the positive side, setuptool maintainers did not suggest voodoo dolls, try to wait out the planetary alignment, better economic conditions, or peace on Earth.

That's how the conversation comes off to my eyes. But form your own opinion. Especially enjoyable for folks who also enjoyed the TV series, The Office.

What are the alternatives to being stonewalled by setuptools?

Disclosure: Wrote requirements rendering package, wreck. I have my own voodoo dolls and plenty of pins

[–] [email protected] 3 points 1 week ago (1 children)

I really don’t understand what you are complaining about. There has been a “training wheels off I want to do things manually” option for ages.

https://stackoverflow.com/questions/16584552/how-to-state-in-requirements-txt-a-direct-github-source

[–] [email protected] 1 points 5 days ago

git sources are not allowed by pypi.org

pypi.org cartel does not like competition; github repos are no exception.

Try to publish packages with git sourced packages and find out the hard way or save time and take my word for it.

-- author of wreck

[–] [email protected] 3 points 1 week ago

Poetry or UV

Still haven't tried the latter but heard good things

[–] [email protected] 1 points 1 week ago (2 children)

Have you tried hatch?

I don't know why people are still bothering with setuptools for new projects.

[–] [email protected] 1 points 1 week ago

Will look at it again

[–] [email protected] 1 points 1 week ago (1 children)

From the hatch docs, not seeing where it discusses publishing to alternative package warehouses.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

AFAIK setuptools and hatch are for building. Publishing is a different process. You can try uv for publishing, but idk if it supports publishing to alternatives to PyPI.

[–] [email protected] 1 points 5 days ago

setuptools is for enforcing a cartel, naively can simplify that to for building.

I hope uv completely replaces setuptools and build. Then the maintainers can move on to another racket.