1Password / onepassword-sdk-python

https://developer.1password.com/docs/sdks/
MIT License
85 stars 9 forks source link

Publish SDK to PyPI #107

Closed paulfioravanti closed 1 month ago

paulfioravanti commented 2 months ago

Current Behavior

I've built a plugin for Plover, an open source stenography engine, that integrates with the 1Password Python SDK: Plover 1Password.

Since PyPI does not allow you to use direct URL dependencies in your list of required dependencies, I currently need to get my users to manually install the SDK themselves, which is unfortunate as I'd rather have the application do it for them automatically.

Desired Behavior

I want to be able to list onepassword-sdk-python as a required dependency in my application configuration, rather than have a manual install step for my users.

Benefits & Value

Less burden on the end user to not have to worry about running pip commands themselves.

Additional information

No response

AndyTitu commented 2 months ago

Hey @paulfioravanti , thanks for the request! We have adding our SDK to PyPi on our roadmap.

Since PyPI does not allow you to use direct URL dependencies in your list of required dependencies, I currently need to get my users to manually install the SDK themselves, which is unfortunate as I'd rather have the application do it for them automatically.

However, you can also fix your issue by taking advantage of PEP's 440 direct refs that allow you to specify dependencies that can be downloaded elsewhere in the form of a source repository or archive (you might be able to use our tags for that)

paulfioravanti commented 2 months ago

Thanks for adding my request to your roadmap!

I tried adding different combinations of remote and local PEP440 direct refs to my setup.cfg file based on the guidance in the docs and scouring the internet, but was ultimately unsuccessful. So, I'm happy to just wait until the PyPI release happens :)

DustinMoriarty commented 2 months ago

@AndyTitu : We are waiting for this library to be published on PyPi before we consider this SDK to be production ready for our company.

Our logic is that any project that cannot take the minimal step to package versions is not production ready. Published versions are essential for tools like pip and poetry to be able to select correct versions based on semantic versioning rules. Otherwise, any library must peg the version directly and the tool must have network access to github.

In addition, a lot of companies have build systems which have supply chain security policies which will not let you just build from any github repo. We could ask for an exception for a specific github repo to be mirrored. However, starting with the fact that the library won't even take the basic step to publish to PyPi, has minimal contributor history and is not at version 1.0.0 yet makes any security review and open source library review an uphill effort from the start.

We are also confused why there appears to be an older connect-sdk-python library which does appear more complete and uses the more modern poetry packaging tool that is not endorsed by the OP website. Connect-sdk-python does publish to PyPi.

Why is this onepasssword-sdk-python library linked on the OP documentation website yet it is not at version 1.0.0 yet and it does not yet publish built versioned releases to PyPi? Consequently, we feel that we have no production ready python SDK option for OP because we take the lack of endorsement by the OP website to mean that the old connect-sdk-python library may no longer be supported yet the lack of a PyPi release > 1.0.0 for this library to state that onepassword-sdk-python is ready for publication yet. Part of the problem may be technical. As it stands, this looks from the outside like a half completed migration.

In addition to planning to make this library production ready and stable, OP needs to communicate it's intentions for long term support for both this library and connect-sdk-python so that customers can have a continuous option and a migration path that they can plan around.

hculea commented 1 month ago

Thanks everyone for voicing your concerns and desire for this feature! I'm happy to let you know that this is actively being worked on.

To answer the other questions - the 1Password Connect SDK is also actively maintained and can be securely and safely adopted. This, however, only works using the 1Password Connect Server as a backend, which needs to be hosted in your own infrastructure. See more details about this here.

The new 1Password SDKs, however, currently work directly against the 1Password servers, leveraging service accounts as an authentication method. While not on our roadmap at this point, the promise land that we foresee is that eventually we would be able to unify the two SDKs into a single one.

Happy to answer any other questions, and thank you for the feedback!

MOmarMiraj commented 1 month ago

Hi Guys,

The new release v0.1.2 and all subsequent releases are released on PyPi. You can find it here.

I will close this issue and if you have any concerns with PyPi release, feel free to open up another issue.