Path: csiph.com!weretis.net!feeder8.news.weretis.net!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Jeroen Ploemen Newsgroups: linux.debian.maint.python Subject: Re: request for review: python-sigstore-models Date: Thu, 28 May 2026 09:10:01 +0200 Message-ID: References: X-Mailbox-Line: From debian-python-request@lists.debian.org Thu May 28 07:00:38 2026 Old-Return-Path: X-Amavis-Spam-Status: No, score=-114.955 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=ham autolearn_force=no X-Mailer: Claws Mail 4.4.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_//fmG6sQ7DnHvrkaXX7.SAfN"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Debian-User: jcfp X-Mailing-List: archive/latest/23783 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/20260528070004.16a75481@debian.org Approved: robomod@news.nic.it Lines: 66 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-python@lists.debian.org X-Original-Date: Thu, 28 May 2026 07:00:04 -0000 X-Original-Message-ID: <20260528070004.16a75481@debian.org> X-Original-References: <87jysp54uf.fsf@josefsson.org> Xref: csiph.com linux.debian.maint.python:17502 --Sig_//fmG6sQ7DnHvrkaXX7.SAfN Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 27 May 2026 16:01:28 +0200 Simon Josefsson wrote: > Hi. >=20 > With uv included in Debian, I was able to resume packaging of > python-sigstore-models. I lack experience with python packaging so > I would appreciate review of this package before NEW upload: >=20 > https://salsa.debian.org/python-team/packages/python-sigstore-models/ >=20 > My biggest worry is the lack of upstream self-checks -- > https://github.com/astral-sh/sigstore-models/issues/3 -- making it > hard to know if this package is working or not until there are > consumers of the package (with self-tests). I hope to resume > packaging of python-sigstore eventually, covering that part: > https://bugs.debian.org/1084157 The upstream repo on github does have tests, it's only the releases published on pypi that don't. You might want to switch the watch file to pull from github instead. Most issues in the current packaging are related to the lack of tests, esp. with the package set up as if they actually were present: * testsuite 'autopkgtest-pkg-pybuild' without build-time tests is the equivalent of running /bin/true in an autopkgtest context. In that case, you're better off with autopkgtest-pkg-python (that at least actually does something, even if superficial). * build-dep on python3-pydantic is only used while pybuild looks for unittests that aren't there, and could be ditched if you explicitly disable tests via 'export PYBUILD_DISABLE=3Dtest' in d/rules. * you should probably build-depend on python3 rather than python3-all if you're not running any tests on build. Obviously, all of the above only applies as long as no tests on run on build. The only other thing that stood out is the unused build-dep on python3-setuptools. --Sig_//fmG6sQ7DnHvrkaXX7.SAfN Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoX5/QACgkQQoMEoXSN zHrv2BAAsSVJfbLzNiMmBh+8W/1MHCtalbneDPKZZapHkrwW7asBTm3vjrTVSkn5 gFOU5Y7ndALiiwXwoReFeXDqUMZkpjNtqrnUjq2bdApo8QSPyqJQ6DCK5ubNFbKO oQtmkuXXi8NxhjtHDdBeAfkIUivVm0+s5dWBnrBkP1QRMInLHMGTbULTPpwnEOiE o8Ak4QCDSde6p7cSgtB2hmPCH2wFZ6vz06Sxb4+8IhUs/InnQemjgob4/lq9fP1T UrmjSxm2T7BlmwgszeL8DA6HRHmMYWDbC0rqMQTLbTdXrSA/PuiB/xREWqDSQG4x TB/FuBIivgQvqq1kxzb5Ehz1HlMTCb7PuP+s60HWp1huQS4qMPCJ/JxJovhzRgjG GUCKUsQrOjC0FvSIwN6onz9SyQJK8W1eSMZQC4sJCwJSGraw/BHpaLA1mS7pfRay rqCcsyK7VnHW8702MKzyj9AkUwVejQoGRYTGnbhQqUEL6G0yzEkSSwPj4qC0P8fZ XCNLIF83A+zsee/kEiBznvqKNGwhHcSp7iI03l05Ienkx6C7OuAc1NL2epOUM9L+ AUF0FGb7TqwQL3sEig8ekNa4OyDTA0dbo+BYS8uwyXRaiH+QGbsSzgzZLTdpbKnC Zr5Y1/87/36/KUZmeK/HdFIjdBTUSpioMJ3uqeoSpXAfN9PquOg= =tekV -----END PGP SIGNATURE----- --Sig_//fmG6sQ7DnHvrkaXX7.SAfN--