Src structure has some important benefits. Running something like pytest needs /src structure or otherwise it loads from the local folder instead. If you have compiled extensions, or if you use importlib stuff, it's critical to load the installed package, not the local folder. See, for example, https://github.com/scikit-build/cmake-python-distributions/pull/145, which was motivated by https://github.com/scikit-build/cmake-python-distributions/pull/139#issuecomment-843507505 for an example of problems in the wild.

However, not having editable support for now makes it a bit less attractive, since regular layout can run without installing in a pinch (if you avoid things like importlib), so maybe it would be best to wait till editable support is available (maybe best to use PEP 517 editable mode if it comes? PEP 660 or 662, whichever is accepted).

Upgrading to 0.0.4 breaks the dynamic version using TRAMPOLIM_VCS_VERSION:

Processing /Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/tmp/cookie-trampolim
  DEPRECATION: A future pip version will change local packages to be built in-place without first copying to a temporary directory. We recommend you use --use-feature=in-tree-build to test your packages with this new behavior before it becomes the default.
   pip 21.3 will remove support for this functionality. You can find discussion regarding this at https://github.com/pypa/pip/issues/7555.
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Installing backend dependencies: started
  Installing backend dependencies: finished with status 'done'
    Preparing wheel metadata: started
    Preparing wheel metadata: finished with status 'error'
    ERROR: Command errored out with exit status 1:
     command: /Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/bin/python /Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/lib/python3.9/site-packages/pip/_vendor/pep517/in_process/_in_process.py prepare_metadata_for_build_wheel /tmp/tmpbyha2ong
         cwd: /private/tmp/pip-req-build-cqa182lv
    Complete output (23 lines):
    Traceback (most recent call last):
      File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/lib/python3.9/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 143, in prepare_metadata_for_build_wheel
        hook = backend.prepare_metadata_for_build_wheel
    AttributeError: module 'trampolim' has no attribute 'prepare_metadata_for_build_wheel'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/lib/python3.9/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 349, in <module>
        main()
      File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/lib/python3.9/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 331, in main
        json_out['return_val'] = hook(**hook_input['kwargs'])
      File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/tests-trampolim/lib/python3.9/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 147, in prepare_metadata_for_build_wheel
        whl_basename = backend.build_wheel(metadata_directory, config_settings)
      File "/private/tmp/pip-build-env-osr5lkga/overlay/lib/python3.9/site-packages/trampolim/__init__.py", line 62, in build_wheel
        builder.build(wheel_directory)
      File "/private/tmp/pip-build-env-osr5lkga/overlay/lib/python3.9/site-packages/trampolim/_wheel.py", line 38, in build
        whl.writestr(f'{whl.dist_info_path}/METADATA', bytes(self._project._meta.as_rfc822()))
      File "/private/tmp/pip-build-env-osr5lkga/overlay/lib/python3.9/site-packages/pep621.py", line 243, in as_rfc822
        self.write_to_rfc822(message)
      File "/private/tmp/pip-build-env-osr5lkga/overlay/lib/python3.9/site-packages/pep621.py", line 250, in write_to_rfc822
        raise ConfigurationError('Missing version field')
    pep621.ConfigurationError: Missing version field

See https://github.com/scikit-hep/cookie/pull/41/checks?check_run_id=3804995613

Pinning to trampolim 0.0.3 fixes the issue.

I'd recommend running mypy from pre-commit (or maybe something like nox) as it's very important to fully control MyPy's environment, and usually nice to have it pinned as well (say with pre-commit). (See the recommendation here, for an example: https://scikit-hep.org/developer/style#type-checking )

This line breaks when this matches a tag exactly (which it usually should do if you are building wheels and SDists for publication?)

https://github.com/FFY00/trampolim/blob/f3e8db8dea5607f708208b57de0d8bc49348a9d1/trampolim/_build.py#L290

$ git describe --tags
v0.1.0

You want --long to force the commits since tag and current hash. Or you should check to see if -'s are present, then assume it's exactly a release then.

$ git describe --tags --long
v0.1.0-0-g165f120

Example failure from a nox run using scikit-hep/cookie:

nox -s 'dist(trampolim)'
nox > Running session dist(trampolim)
nox > Creating virtual environment (virtualenv) using python3.9 in .nox/dist-trampolim
nox > python -m pip install cookiecutter build twine
nox > cd .nox/dist-trampolim/tmp
nox > cookiecutter --no-input /Users/henryschreiner/git/scikit-hep/cookie --config-file=input.yml
nox > cd cookie-trampolim
nox > git init -q
nox > git add .
nox > git commit -qm feat: initial version
nox > git tag v0.1.0
nox > python -m build
nox > Command python -m build failed with exit code 1:
Found existing installation: setuptools 57.0.0
Uninstalling setuptools-57.0.0:
  Successfully uninstalled setuptools-57.0.0
Collecting trampolim~=0.0.3
  Using cached trampolim-0.0.3-py3-none-any.whl (13 kB)
Collecting packaging
  Using cached packaging-21.0-py3-none-any.whl (40 kB)
Collecting toml
  Using cached toml-0.10.2-py2.py3-none-any.whl (16 kB)
Collecting pyparsing>=2.0.2
  Using cached pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
Installing collected packages: pyparsing, toml, packaging, trampolim
Successfully installed packaging-21.0 pyparsing-2.4.7 toml-0.10.2 trampolim-0.0.3
Traceback (most recent call last):
  File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/dist-trampolim/lib/python3.9/site-packages/pep517/in_process/_in_process.py", line 280, in <module>
    main()
  File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/dist-trampolim/lib/python3.9/site-packages/pep517/in_process/_in_process.py", line 263, in main
    json_out['return_val'] = hook(**hook_input['kwargs'])
  File "/Users/henryschreiner/git/scikit-hep/cookie/.nox/dist-trampolim/lib/python3.9/site-packages/pep517/in_process/_in_process.py", line 236, in build_sdist
    return backend.build_sdist(sdist_directory, config_settings)
  File "/private/tmp/build-env-cgul0fht/lib/python3.9/site-packages/trampolim/__init__.py", line 44, in build_sdist
    project = trampolim._build.Project()
  File "/private/tmp/build-env-cgul0fht/lib/python3.9/site-packages/trampolim/_build.py", line 117, in __init__
    self.version  # calculate version
  File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/functools.py", line 969, in __get__
    val = self.func(instance)
  File "/private/tmp/build-env-cgul0fht/lib/python3.9/site-packages/trampolim/_build.py", line 289, in version
    tag, r, commit = subprocess.check_output([
ValueError: not enough values to unpack (expected 3, got 1)

ERROR Backend subproccess exited when trying to invoke build_sdist

This works correctly in setuptools_scm.

In #20, from local testing, it is clearly an empty folder that is hanging up on Windows. I don't think it's a critical problem; I don't think it's reproducible when running non-test code. As a nicer fix, we can move to pytest's built in (3.9+) fixtures for making temporary directories (test level and session level). These stick around for ~3 days or the last three sessions, for easier debuging, and therefore don't trigger this issue. Adding -Wd didn't produce any unclosed file warnings on #20, so I think it's safe.

I extracted the parser as the pep621 package, and afterwards made several API improvements. Our code here still has the original parser, we should replace it with the pep621 package.

https://github.com/FFY00/python-pep621

Rather expecting this to fail, as it's failing elsewhere. But I'm getting a somewhat unrelated pep621.ConfigurationError: Missing version field error, so maybe it's not related. We'll see. Edit: Appears to be something else. pep621 is missing release notes for 0.4.0, btw.

Also refactors mcuh of our internal path handling to use pathlib.

I am aware that the code still isn't great, but it's good enough for now.

Signed-off-by: Filipe Laíns [email protected]

Touching up the type checking strictness a bit, also checking both ends. I really like pyproject.toml config for mypy much better, but left it in setup.cfg for now.

This allows the CI to be run locally with nox -s tests-3.9 or nox -s type or nox -s docs -- serve, for example. Removes dependence on GitHub Actions.

(I already added this to do local testing, thought it might be useful to others)

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.