Add explicit pbr requirement

[sigmavirus24]

Why? pbr is a build requirement, not a runtime requirement

[mikelolasagasti]

Running pip install bandit installs pbr as required by setup.py:

pip install bandit
Collecting bandit
  Downloading bandit-1.7.4-py3-none-any.whl (118 kB)
     |████████████████████████████████| 118 kB 5.0 MB/s            
Collecting GitPython>=1.0.1
  Downloading GitPython-3.1.29-py3-none-any.whl (182 kB)
     |████████████████████████████████| 182 kB 40.1 MB/s            
Collecting PyYAML>=5.3.1
  Downloading PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (682 kB)
     |████████████████████████████████| 682 kB 120.2 MB/s            
Collecting stevedore>=1.20.0
  Downloading stevedore-4.1.0-py3-none-any.whl (50 kB)
     |████████████████████████████████| 50 kB 3.7 MB/s             
Collecting gitdb<5,>=4.0.1
  Downloading gitdb-4.0.9-py3-none-any.whl (63 kB)
     |████████████████████████████████| 63 kB 2.4 MB/s              
Collecting pbr!=2.1.0,>=2.0.0
  Downloading pbr-5.11.0-py2.py3-none-any.whl (112 kB)
     |████████████████████████████████| 112 kB 128.2 MB/s            
Collecting smmap<6,>=3.0.1
  Downloading smmap-5.0.0-py3-none-any.whl (24 kB)
Installing collected packages: smmap, pbr, gitdb, stevedore, PyYAML, GitPython, bandit
Successfully installed GitPython-3.1.29 PyYAML-6.0 bandit-1.7.4 gitdb-4.0.9 pbr-5.11.0 smmap-5.0.0 stevedore-4.1.0
WARNING: You are using pip version 21.3.1; however, version 22.3 is available.
You should consider upgrading via the '/tmp/bandit/test/env/bin/python3 -m pip install --upgrade pip' command.

Later remove pbr:

$ pip uninstall pbr
Found existing installation: pbr 5.11.0
Uninstalling pbr-5.11.0:
  Would remove:
    /tmp/bandit/test/env/bin/pbr
    /tmp/bandit/test/env/lib/python3.10/site-packages/pbr-5.11.0.dist-info/*
    /tmp/bandit/test/env/lib/python3.10/site-packages/pbr/*
Proceed (Y/n)? y
  Successfully uninstalled pbr-5.11.0

Bandit is not able to work without pbr:

$ bandit
Traceback (most recent call last):
  File "/tmp/bandit/test/env/bin/bandit", line 5, in <module>
    from bandit.cli.main import main
  File "/tmp/bandit/test/env/lib64/python3.10/site-packages/bandit/__init__.py", line 5, in <module>
    import pbr.version
ModuleNotFoundError: No module named 'pbr'

File bandit/__init__.py imports pbr:

bandit/__init__.py:import pbr.version
bandit/__init__.py:__version__ = pbr.version.VersionInfo("bandit").version_string()

I'm packaging Bandit for Fedora and pbr was being installed in the past as dependency of stevedore. stevedore doesn't depend on pbr anymore so in newer Fedora releases bandit started to fail. As I had to add a dependency on pbr I guessed that adding it upstream would make sense.

[mportesdev]

stevedore doesn't depend on pbr anymore

Which version are you referring to? I see that stevedore 3.5.2 and 4.1.0 both require pbr (!=2.1.0,>=2.0.0).

File bandit/__init__.py imports pbr:

bandit/__init__.py:import pbr.version
bandit/__init__.py:__version__ = pbr.version.VersionInfo("bandit").version_string()

Yes, I agree that if it's directly imported by bandit, it should be explicitly specified in requirements.

[mikelolasagasti]

stevedore doesn't depend on pbr anymore

Which version are you referring to? I see that stevedore 3.5.2 and 4.1.0 both require pbr (!=2.1.0,>=2.0.0).

Sorry, I meant runtime dep but stevedore never had it.

Let me add more context. stevedore package in Fedora used to had a runtime dep on pbr, but maintainers removed that dep as upstream stevedore doesn't require it for runtime, but kept dep for building phase.

https://src.fedoraproject.org/rpms/python-stevedore/c/4b53b0bdf5f7e694561a6bd5926e99dbe5f327be?branch=rawhide

bandit's runtime dep on pbr was satisfied when stevedore required pbr, but once it was removed from stevedore bandit started to fail due to missing runtime dep was not being installed.

[mikelolasagasti]

@sigmavirus24 any chance to reconsider the invalid tag?

[ericwb]

PR https://github.com/PyCQA/bandit/pull/1016 has removed the runtime dependency on pbr. As a result, I don't believe this PR is needed any longer.