gnikit
commented
5 months ago I believe this is expected behaviour with how packages are built. Could you elaborate why that's an issue?
Open cafhach opened 5 months ago
gnikit
commented
5 months ago I believe this is expected behaviour with how packages are built. Could you elaborate why that's an issue?
cafhach
commented
5 months ago Imho it's an issue because .pyc files are opaque and can in principle be used to conceal malicious code, e.g. https://www.reversinglabs.com/blog/when-python-bytecode-bites-back-who-checks-the-contents-of-compiled-python-files
Since they are not necessary in the package (they are automatically generated by the python interpreter from the respective .py file) their existence looks suspicious to me (no offense).
gnikit
commented
5 months ago No offence taken.
This is because .pyc files are generated as part of the build process with setuptools. There's not much we can do with that. I think the common way to exclude them is with a MANIFEST.in file which in our case is generated by setuptools.
I will look into it, but since this is related to packaging and is not a real security risk (.pyc files are generated on conda-forge runners, automatically via setuptools without anyone's interaction) it goes low on the priority list.
cafhach
commented
5 months ago Btw. the pycache dir is not in the wheel (in pypi), so I would guess that the issue arises from conda-build and not setuptools.
Solution to issue cannot be found in the documentation.
Issue
At least the following conda packages contained pyc files:
https://anaconda.org/conda-forge/fortls/3.1.1/download/linux-64/fortls-3.1.1-py311h38be061_0.conda https://anaconda.org/conda-forge/fortls/3.1.2/download/linux-64/fortls-3.1.2-py311h38be061_0.conda
in
lib/python3.11/site-packages/fortls/parsers/__pycache__.Installed packages
Environment info