Clientless pom #8
Conversation
Remove conary-isms and use pbr.
Use six for compatibility between python2 and python3 and tox for running tests. Biggest source of actual code change is around supporting rich comparision methods in python3.
Adds the classmethods Pom.fromstring and Pom.parse. These are modeled on the lxml.etree functions of the same name. If a MavenClient is passed in, then the resulting Pom object will attempt to dynamically load data from external POM files available via the client. Sem-Ver: feature Fixes: sassoftware#4
|
@wfscheper Let me review this in details tomorrow. |
pymaven/client.py
Outdated
| @@ -75,7 +75,7 @@ def __init__(self, cacheDir=None): | |||
| if cacheDir is None: | |||
| cacheDir = "/tmp/%s-maven-cache" % getpass.getuser() | |||
There was a problem hiding this comment.
This is POSIX specific. I think you could use tempfile.gettempdir() for portability
There was a problem hiding this comment.
Good catch. Will fix this.
setup.cfg
Outdated
|
|
||
| [bdist_wheel] | ||
| universal = 1 | ||
|
|
There was a problem hiding this comment.
Your would need to add license_file = LICENSE to ensure that the built wheel contains a proper license.
There was a problem hiding this comment.
I think pbr handles this for me, but I'll double check that the LICENSE file is installed and fix it if its not.
There was a problem hiding this comment.
it would be a pleasant surprise if pbr does this... Note also that AFAIK pbr is mostly obsolete now that the latest setuptools support extensive, declarative metadata in setup.cfg
There was a problem hiding this comment.
You are correct, and I added the license_file entry to my setup.cfg.
pbr's main role is to generate the AUTHORS file and let us manage versioning through commit history.
I'm less enthused by its use of metadata in setup.cfg given that its basically a one-to-one rewrite of a setup.py. You're not really gaining much, though it is nice to have one place to put a lot of configuration. pbr also generates a changelog for you, but it's just a dump of your commit history which isn't terribly useful as a changelog.
|
@wfscheper you wrote:
So there are eventually two use cases:
For case 2, there is no such thing as coordinates known ahead of time: these are in the POM and unknown until after parsing So what could possibly work is this: Then something more or less like this:
In all cases I never know coordinates ahead of time so in any subclass I would need to replicate most of the |
| return self._pom_factory(group, artifact, version) | ||
|
|
||
| @property | ||
| @memoize("_pom_data") | ||
| def pom_data(self): |
There was a problem hiding this comment.
I am not sure I get why you are trying to recreate some XML here... why? If I provided an actual string of XML as an input why would you recreate this to then reparse? (and as a side note this also implies that coordinates were provided)
There was a problem hiding this comment.
self.pom_data is a property (a method that is used as if it were an attribute). The memoize decorator ensures that we only call self.pom_data() once, and store the result in self._pom_data.
If you used Pom.parse or Pom.fromstring to create the Pom object, then self.pom_data() is never actually called, the memoize decorator just returns the value of self._pom_data.
If you used Pom() and didn't pass a client, then I use the EMPTY_POM template and fill it out with the values from the coordinate you passed in. If you did pass in a client, then I use the client to get the POM data from the repository. Make sense?
There was a problem hiding this comment.
@wfscheper It does make sense, but I cannot see any use case where you have as an input coordinates but no pom file and no client. The library is useless in this case so this should not even be allowed: you cannot do anything of value.
| from .versioning import VersionRange | ||
|
|
||
|
|
||
| EMPTY_POM = """\ |
There was a problem hiding this comment.
Rebuilding a POM as XML is likely to be rather problematic: I may have provided deps and this would ignore them. And if I want to extend this with extra attributes for #3 my hunch that this will complicate things rather badly... Why would you need this?
There was a problem hiding this comment.
The intention is that I would use this when I'm provided with coordinates but no client or xml. Would it be clearer if I called it MINIMAL_POM?
There was a problem hiding this comment.
The combo of coordinates with no client and no xml should be an error IMHO.
Ensure that our LICENSE file is correctly packaged and installed.
Use tempfile.mkdtemp to create the cacheDir rather than assuming we can use /tmp.
Prefer a handwritten changelog to pbr's dump of the git history.
|
I have been thinking of another possible approach....
Now, I am less clear about the case of having both a path and a client.... Also, after all a client is something that can retrieve Artifacts: there could be a dumb client that knows nothing about repositories and deals only with a path as an input and can only fetch that one path (and if provided with coordinates instead, it would just initialize a Pom/Artifact with the coordinates and fetch nothing) ... This could be another way. |
|
The more we discuss the I think Sound reasonable to you? |
|
|
Not completely sure what you mean by "recreate any XML string." Are you
referring to where the PR was using the EMPTY_POM template? That would go
away with the new signature.
On Sun, Jun 11, 2017 at 10:27 AM Philippe Ombredanne < ***@***.***> wrote:
Sound reasonable to you?
@wfscheper <https://github.com/wfscheper> It sure does, but I am still
not sure if makes sense to recreate any XML string though. It feelds weird
when the input is coordinates and would be imposed if the constructor of
Pom is Pom.__init__(pom_data, client=None)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#8 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD5s-q3n9cwb3sacMf4ka-35XqoS1baks5sC_lbgaJpZM4NzN06>
.
--
Sent from my phone
|
perfect! |
|
@wfscheper to give you a better feel of where I want to go (and what I would like to contribute back eventually for #3 #9 #10 #11 and #12 ) ... See these:
Note: this is based of master and not this branch, but merging will not be of issue and I will rebase as needed when times comes.
Note that I have over 500+ tests with several POMs with oddities that were collected mostly carefully. |
|
@wfscheper any feedback on the subclass I mentioned above? I can start creating a PR, but I would rather base this on top of your refactoring than master I guess. |
|
Just catching up. There's a lot here that I like, especially the tests and
odd corner case poms.
I'm going to merge my pom refactor into a new branch in the main repo and
we can start pulling in your changes there. I'm still unsatisfied with the
Pom API, and I expect we'll want to change the API some more as we work
through your enhancements.
On Wed, Jun 21, 2017 at 6:12 PM Philippe Ombredanne < ***@***.***> wrote:
@wfscheper <https://github.com/wfscheper> any feedback on the subclass I
mentioned above? I can start creating a PR, but I would rather base this on
top of your refactoring than master I guess.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#8 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD5s66UARQ1jlCDcxwYHWXVHKp9qnniks5sGZVUgaJpZM4NzN06>
.
--
Sent from my phone
|
|
@wfscheper this sounds like a plan! 👍 |
|
@wfscheper FWIW my patches have been baked in the latest release of scancode https://github.com/nexB/scancode-toolkit/releases/ .... and I would like to know if this is OK to have your name in the credits :) as this is a major improvement on our side for the Maven thingies |
|
and FYI to give some context of what we are up to:
So the goals are 1. detect all the packages and all deps in a codebase. 2. report all the licensing and origin info. 3. report all known vulnerabilities for all detected or resolved packages (as part of https://github.com/nexB/vulnerablecode which is built by @kartiksibal as part of the GSoC https://summerofcode.withgoogle.com/organizations/4800434830049280/#4673431489478656 ) 4. report other useful info on this |
|
Closing. We will continue work on this in the clientless-pom branch of the main repo, and merge that in once its fully baked. |
@pombredanne
Look over the API changes and let me know if you think this works for your use case. I'm still debating whether I really need to require a coordinate string, so I'd like to hear from you on that.