Replies: 4 comments 3 replies
-
|
Any maintainers who could answer to my question? |
Beta Was this translation helpful? Give feedback.
-
|
Would like to know this too with |
Beta Was this translation helpful? Give feedback.
-
|
Could you please clarify this better? Setuptools itself has no dependency on Probably a false positive in the tool that is generating the report. |
Beta Was this translation helpful? Give feedback.
-
|
For the sake of clarity check out screenshots below showing filesystem changes when installing two different versions of setuptools. (it is based on a python:3.11 base image)
Yes, it seems to be a test package which has a regular package structure and .egg file. That's why it's treated by SCA tools as a python package. It is flagged since it has an unknown licensing set in metadata along with other dummy data. If this is how you're going to deliever I can somewhat live with that. However be aware that it will most likely show up in SBOMs and SCA scans as an independent component. |
Beta Was this translation helpful? Give feedback.
-
|
These should definitely be included in sdists, but probably not wheels. cc @abravalheri ^ |
Beta Was this translation helpful? Give feedback.
-
|
@webknjaz, including them in the wheel, seems to be a deliberate decision from #4479 (even if temporarily due to an existing limitstion). |
Beta Was this translation helpful? Give feedback.
-
|
Oh, I didn't realize. Thanks for pointing out! |
Beta Was this translation helpful? Give feedback.
-
In recent release 71.0.1 one of previous changes to exclude package data and tests was reverted: 1a52f11
Is this intended? I'm asking since SCA tools starting with this version detect such test package (
my-test-package) as a dependency with unknown License.This raises some dependency management issues and I wanted to know if this is how you intend to proceed.
Beta Was this translation helpful? Give feedback.
All reactions