Vendor libmaxminddb and produce binary wheels

[oschwald]

• Drop Python 3.7 support
• Move project metadata to pyproject.toml
• Add support for building bdist_wheel
• Add workflow to build wheels
• Vendor libmaxminddb
• Increase verbosity when building wheels
• Build extension on PyPy
• Exclude extension/libmaxminddb/ from clang static analysis
• Do not set compile_args on Windows

[oschwald]

@paravoid, we are planning on vendoring libmaxminddb in order to make the extension easier to install. I know this will affect the Debian packages. I am not sure how you want to deal with it there. If you still want to use the system shared lib, it should be possible to adjust the setup.py script to allow overriding the default via an environment variable or something.

[paravoid]

Interesting! Thank you so much for the heads-up, much appreciated!

This is indeed a bit problematic in Debian. As far as I understand from your note and a quick glance of the PR, the vendoring is just for ease of use, and thus there is no reason for Debian to keep it vendored, right? No special modifications, or deeper-level integration at the source code or anything like that.

If so, then we'd want to build against the system copy of libmaxminddb indeed. That would ensure that we only maintain one copy of libmaxminddb, and so for example in the case of a security update, we only have to update libmaxminddb, not python-maxminddb.

As far as I can tell from the code, the changes to accomplish this would be contained in setup.py, right? I could carry a patch in the Debian patch to revert these changes, but to your point, I'd love it if such code were in the setup.py you ship gated behind an option, so that it doesn't diverge over time :)

For what it's worth, while I'm not an expert in any other distributions, my understanding is that other distros have similar policies, e.g. https://fedoraproject.org/wiki/Packages_that_embed_code_copies and so this may be useful to others besides just Debian/Ubuntu.

Thanks again!

[oschwald]

@paravoid, right, vendoring is just for easy of use for people installing off of PyPI. If there was a security update that affected the use of libmaxmindb, we would release a new version of the module.

Given your thoughts, I'll try adding an environment variable that disables using the vendored version. I don't think that will be too hard to add and it should save you from having to maintain a patch.