Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #17499 > unrolled thread

request for review: python-sigstore-models

Back to article view | Back to linux.debian.maint.python

Contents

  request for review: python-sigstore-models Simon Josefsson <simon@josefsson.org> - 2026-05-27 16:10 +0200
    Re: request for review: python-sigstore-models Norwid Behrnd <nbehrnd@yahoo.com> - 2026-05-27 16:20 +0200
      Re: request for review: python-sigstore-models Simon Josefsson <simon@josefsson.org> - 2026-05-27 16:40 +0200
        Re: request for review: python-sigstore-models Simon Josefsson <simon@josefsson.org> - 2026-05-28 18:10 +0200
    Re: request for review: python-sigstore-models Jeroen Ploemen <jcfp@debian.org> - 2026-05-28 09:10 +0200
      Re: request for review: python-sigstore-models Simon Josefsson <simon@josefsson.org> - 2026-05-28 17:50 +0200

#17499 — request for review: python-sigstore-models

[Multipart message — attachments visible in raw view] — view raw

Hi.

With uv included in Debian, I was able to resume packaging of
python-sigstore-models.  I lack experience with python packaging so I
would appreciate review of this package before NEW upload:

https://salsa.debian.org/python-team/packages/python-sigstore-models/

My biggest worry is the lack of upstream self-checks --
https://github.com/astral-sh/sigstore-models/issues/3 -- making it hard
to know if this package is working or not until there are consumers of
the package (with self-tests).  I hope to resume packaging of
python-sigstore eventually, covering that part:
https://bugs.debian.org/1084157

/Simon

[toc] | [next] | [standalone]

#17500

Hello Simon,

> Hi.
> 
> With uv included in Debian, I was able to resume packaging of
> python-sigstore-models.  I lack experience with python packaging so I
> would appreciate review of this package before NEW upload:
> 
> https://salsa.debian.org/python-team/packages/python-sigstore-models/

Note <https://mentors.debian.net/> provides a dedicated platform for public
checks and review - both for you, as well as a potential sponsor - as well as
for incremental improvement for a potential package.

Best regards,
Norwid

[toc] | [prev] | [next] | [standalone]

#17501

[Multipart message — attachments visible in raw view] — view raw

Norwid Behrnd <nbehrnd@yahoo.com> writes:

> Hello Simon,
>
>> Hi.
>> 
>> With uv included in Debian, I was able to resume packaging of
>> python-sigstore-models.  I lack experience with python packaging so I
>> would appreciate review of this package before NEW upload:
>> 
>> https://salsa.debian.org/python-team/packages/python-sigstore-models/
>
> Note <https://mentors.debian.net/> provides a dedicated platform for public
> checks and review - both for you, as well as a potential sponsor - as well as
> for incremental improvement for a potential package.

Thank you!  Uploaded.

https://mentors.debian.net/package/python-sigstore-models/

/Simon

[toc] | [prev] | [next] | [standalone]

#17504

[Multipart message — attachments visible in raw view] — view raw

I have tagged and uploaded this to NEW now, addressing all suggestions
so far, but I'm happy to take more feedback:

https://salsa.debian.org/python-team/packages/python-sigstore-models

I'll try to resume work on python-rfc3161-client now, which if I recall
was harder with both rust and python in the same package...

/Simon

[toc] | [prev] | [next] | [standalone]

#17502

[Multipart message — attachments visible in raw view] — view raw

On Wed, 27 May 2026 16:01:28 +0200
Simon Josefsson <simon@josefsson.org> wrote:

> Hi.
> 
> With uv included in Debian, I was able to resume packaging of
> python-sigstore-models.  I lack experience with python packaging so
> I would appreciate review of this package before NEW upload:
> 
> https://salsa.debian.org/python-team/packages/python-sigstore-models/
> 
> My biggest worry is the lack of upstream self-checks --
> https://github.com/astral-sh/sigstore-models/issues/3 -- making it
> hard to know if this package is working or not until there are
> consumers of the package (with self-tests).  I hope to resume
> packaging of python-sigstore eventually, covering that part:
> https://bugs.debian.org/1084157

The upstream repo on github does have tests, it's only the releases
published on pypi that don't. You might want to switch the watch file
to pull from github instead.

Most issues in the current packaging are related to the lack of
tests, esp. with the package set up as if they actually were present:
* testsuite 'autopkgtest-pkg-pybuild' without build-time tests is the
  equivalent of running /bin/true in an autopkgtest context. In that
  case, you're better off with autopkgtest-pkg-python (that at least
  actually does something, even if superficial).
* build-dep on python3-pydantic is only used while pybuild looks for
  unittests that aren't there, and could be ditched if you explicitly
  disable tests via 'export PYBUILD_DISABLE=test' in d/rules.
* you should probably build-depend on python3 rather than python3-all
  if you're not running any tests on build.

Obviously, all of the above only applies as long as no tests on run on
build.

The only other thing that stood out is the unused build-dep on
python3-setuptools.

[toc] | [prev] | [next] | [standalone]

#17503

[Multipart message — attachments visible in raw view] — view raw

Jeroen Ploemen <jcfp@debian.org> writes:

> On Wed, 27 May 2026 16:01:28 +0200
> Simon Josefsson <simon@josefsson.org> wrote:
>
>> Hi.
>> 
>> With uv included in Debian, I was able to resume packaging of
>> python-sigstore-models.  I lack experience with python packaging so
>> I would appreciate review of this package before NEW upload:
>> 
>> https://salsa.debian.org/python-team/packages/python-sigstore-models/
>> 
>> My biggest worry is the lack of upstream self-checks --
>> https://github.com/astral-sh/sigstore-models/issues/3 -- making it
>> hard to know if this package is working or not until there are
>> consumers of the package (with self-tests).  I hope to resume
>> packaging of python-sigstore eventually, covering that part:
>> https://bugs.debian.org/1084157
>
> The upstream repo on github does have tests, it's only the releases
> published on pypi that don't. You might want to switch the watch file
> to pull from github instead.
>
> Most issues in the current packaging are related to the lack of
> tests, esp. with the package set up as if they actually were present:
> * testsuite 'autopkgtest-pkg-pybuild' without build-time tests is the
>   equivalent of running /bin/true in an autopkgtest context. In that
>   case, you're better off with autopkgtest-pkg-python (that at least
>   actually does something, even if superficial).
> * build-dep on python3-pydantic is only used while pybuild looks for
>   unittests that aren't there, and could be ditched if you explicitly
>   disable tests via 'export PYBUILD_DISABLE=test' in d/rules.
> * you should probably build-depend on python3 rather than python3-all
>   if you're not running any tests on build.
>
> Obviously, all of the above only applies as long as no tests on run on
> build.
>
> The only other thing that stood out is the unused build-dep on
> python3-setuptools.

Yay, wonderful, thanks!  Fixed in git now, including pulling directly
from GitHub instead, so we now have self-tests.

I recall seeing self-checks dropped from the pypi tarballs before, so
maybe I should make a habit to pull directly from git for future python
packages.  IIRC the python team policy lead me into the pypi approach.

/Simon

[toc] | [prev] | [standalone]

Back to top | Article view | linux.debian.maint.python

csiph-web