Path: csiph.com!pasdenom.info!usenet.goja.nl.eu.org!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Simon Josefsson Newsgroups: linux.debian.maint.python Subject: Re: request for review: python-sigstore-models Date: Thu, 28 May 2026 17:50:01 +0200 Message-ID: References: X-Mailbox-Line: From debian-python-request@lists.debian.org Thu May 28 15:46:20 2026 Old-Return-Path: X-Amavis-Spam-Status: No, score=-14.4 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 Openpgp: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:260528:jcfp@debian.org::DENBK92dVrEU2Uz3:pbEt X-Hashcash: 1:23:260528:debian-python@lists.debian.org::iTBidVlX0NI7ZPDd:fuer User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Mailing-List: archive/latest/23784 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/87ldd38rjx.fsf@josefsson.org Approved: robomod@news.nic.it Lines: 82 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-python@lists.debian.org X-Original-Date: Thu, 28 May 2026 17:47:14 +0200 X-Original-Message-ID: <87ldd38rjx.fsf@josefsson.org> X-Original-References: <87jysp54uf.fsf@josefsson.org> <20260528070004.16a75481@debian.org> Xref: csiph.com linux.debian.maint.python:17503 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jeroen Ploemen writes: > On Wed, 27 May 2026 16:01:28 +0200 > Simon Josefsson wrote: > >> Hi. >>=20 >> With uv included in Debian, I was able to resume packaging of >> python-sigstore-models. I lack experience with python packaging so >> I would appreciate review of this package before NEW upload: >>=20 >> https://salsa.debian.org/python-team/packages/python-sigstore-models/ >>=20 >> My biggest worry is the lack of upstream self-checks -- >> https://github.com/astral-sh/sigstore-models/issues/3 -- making it >> hard to know if this package is working or not until there are >> consumers of the package (with self-tests). I hope to resume >> packaging of python-sigstore eventually, covering that part: >> https://bugs.debian.org/1084157 > > The upstream repo on github does have tests, it's only the releases > published on pypi that don't. You might want to switch the watch file > to pull from github instead. > > Most issues in the current packaging are related to the lack of > tests, esp. with the package set up as if they actually were present: > * testsuite 'autopkgtest-pkg-pybuild' without build-time tests is the > equivalent of running /bin/true in an autopkgtest context. In that > case, you're better off with autopkgtest-pkg-python (that at least > actually does something, even if superficial). > * build-dep on python3-pydantic is only used while pybuild looks for > unittests that aren't there, and could be ditched if you explicitly > disable tests via 'export PYBUILD_DISABLE=3Dtest' in d/rules. > * you should probably build-depend on python3 rather than python3-all > if you're not running any tests on build. > > Obviously, all of the above only applies as long as no tests on run on > build. > > The only other thing that stood out is the unused build-dep on > python3-setuptools. Yay, wonderful, thanks! Fixed in git now, including pulling directly from GitHub instead, so we now have self-tests. I recall seeing self-checks dropped from the pypi tarballs before, so maybe I should make a habit to pull directly from git for future python packages. IIRC the python team policy lead me into the pypi approach. /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmoYY4IUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJp4fWRBQkOa+rdAAoJENc89jjFPAa+hWIA /1lQvrJeGlQq50lP6tm99D1zDy7J1tQ3ha4x0Jx7rkFTAP9hpUKuTvm6m1fXyiZV YZlu2+Id/Dq3CIAZvNF+XEr2BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCaeCW1wUJDmqLVgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+s7AA+gIIHpBApDpcDj1sKhzDngmpvwQf0VkHme6s+EG7qSgpAQDe /XMrU0c0Pa3ji85cMqZhvzJOFI/soe662lzL0QY3Bbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJp4JbXBQkOaottAAoJENc89jjF PAa+RNUA/2faQO/nFT06E+MlhlQdo/0chlQXC5TZMPTVvVBFwoLOAP9xLJK0ow5E jTzYJB4K810AL/Iv6PEOAEgA4cPTHVlbCQAKCRBRcisI/kdFolHLAQCS0y/dj9fI u0Sg+fjqi7OZw4GmHjINIRIZa5iFNfSVpQEAmsLFCJEOi0vpJRObzgvo98OmmGDl WJ6g501i445CvQM= =QBNJ -----END PGP SIGNATURE----- --=-=-=--