pip installer

12 risposte [Ultimo contenuto]
mixalis_t
Offline
Iscritto: 02/21/2014

Hello,

I've made a python program that checks if a package in Python Package Index (pypi) is free. This script detects if a program is free if a package is OSI Approved.

I want help to integrate this functionality in pip, the python package installer, so that isn't possible to install nonfree software from pip.

Also, in order for the script to work a made a modification in locators.py from distlib

AllegatoDimensione
checkpackage.tar1.25 MB
onpon4
Offline
Iscritto: 05/30/2012

You should talk to pip's developers about implementing this as a warning (not as a refusal to download packages). You might also want to check for different classes of licenses.

But there are some parts of your script that don't make sense:

1. "version = info.keys()[0]": What "info.keys()[0]" points to is undefined. "info" is a dictionary, and dictionaries are unordered. If you're trying to find the most recent version, you need to convert the keys to a list and sort it appropriately. As it is, you're just grabbing an arbitrary version.

2. You're only looking at the "License" field, which I don't tend to use because the license I'm using is a trove classifier.

3. Your script completely ignores the license field, because it always overwrites it with "gpl version 3". So it's always going to detect any package as free.

4. Your list of "free licenses" includes things that are not licenses at all, like "general public", and licenses which may or may not be libre, like "artistic". Since any arbitrary text can be typed in the license field, you ought to be very strict with what strings you accept. The warning can then display this license so that the user can personally check it.

By the way, while you should use trove classifiers, I would highly recommend against just assuming that any package with the "OSI Approved" or "DFSG Approved" classifier is libre, partly because the OSI has approved some proprietary licenses and partly because this isn't a declaration of a license, just a statement of fact which may or may not be true.

mixalis_t
Offline
Iscritto: 02/21/2014

>You should talk to pip's developers about implementing this as a warning (not as a refusal to download packages).

In trisquel there is an issue for that https://trisquel.info/en/issues/3741. Since trisquel has only free software it shouldn't be possible to install from pip nonfree.

> You might also want to check for different classes of licenses.
Do you mean other that OSI Approved?

Sorry this attachment has the wrong file.

1. info has one value, the latest version.

AllegatoDimensione
checkpackage.tar 1.25 MB
jorgesumle
Offline
Iscritto: 06/01/2016

Hi, everyone

We also had a discussion in the Spanish forum about that issue (https://trisquel.info/en/forum/propuesta-acerca-de-pypi). There is already program that checks PyPI license information (among statistics and other cool stuff) in Python called pypi-cli. You can install it with pip.
sudo pip3 install pypi-cli

Apart from what mentioned onpon4, we should also take into account that a free package may have non-free dependencies. Also, please use Python 3 for new projects.

> You should talk to pip's developers about implementing this as a warning

I agree, that would be a great improvement.

If that's not possible we could make a simple fork of pip that checks the license before installing any program to only let install free programs.

SuperTramp83

I am a translator!

Offline
Iscritto: 10/31/2014

pypi info youtube-dl

LICENSE: Unknown

Same for mps-youtube

It seems it is not great for the purpose :)

jorgesumle
Offline
Iscritto: 06/01/2016

It works fine with most licenses. Reported the bug: https://github.com/sloria/pypi-cli/issues/14

In case you're wondering, youtube-dl is in the public domain and mps-youtube is licensed under the GNU GPL, version 3.

t3g
t3g
Offline
Iscritto: 05/15/2011

You can always fork the repo at https://github.com/pypa/pip and then once you make your updates, do a merge request. Were you thinking of adding a -free command line option to pip to force free packages only?

mixalis_t
Offline
Iscritto: 02/21/2014

I made a project in gitlab (https://devel.trisquel.info/mixalis/checkpackage). Help is needed.

SuperTramp83

I am a translator!

Offline
Iscritto: 10/31/2014

Only help I can get you is translations.

Majin Buu
Offline
Iscritto: 11/05/2016

This isn't a bad idea, but the process isn't transparent. Also, that don't solve the main problem.

The better idea is create a separate repository with only free software with free dependencies. This will help to spread the message than non-free software is injust and unethical, and with this persuade PyPI mantainers to only include free software in their repos.

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

It exists. It is called "Trisquel's repository". It has many Python packages.

Majin Buu
Offline
Iscritto: 11/05/2016

Please accept my merge request, it contains many improvements and it
also checks if a license is GPL-compatible.

mixalis_t
Offline
Iscritto: 02/21/2014

If anyone wants to try it he has to fetch the source code of pip (python-pip-1.5.4) and replace req.py and _vendor/distlib/locators.py with the ones from gitlab. Sorry for the inconvenience but I couldn't push all the files to gitlab.