search

zopefoundation / AccessControl

Security framework for Zope.
Other
12 stars 16 forks source link

Update to Python 3.11.0b3. #129

Closed icemac closed 2 years ago

icemac commented 2 years ago

Uses https://github.com/zopefoundation/meta/pull/149

dataflake commented 2 years ago

Those test failures imply that RestrictedPython versions 5.1 and 5.2, which do exist on PyPI, are not "seen" by the installation routine?? I'm confused.

ERROR: Could not find a version that satisfies the requirement RestrictedPython>=5.1 (from accesscontrol) (from versions: 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.6.0a1, 3.6.0, 4.0a1, 4.0a2, 4.0a3, 4.0b1, 4.0b2, 4.0b3, 4.0b4, 4.0b5, 4.0b6, 4.0b7, 4.0b8, 4.0, 5.0, 5.3a1.dev0)
ERROR: No matching distribution found for RestrictedPython>=5.1
icemac commented 2 years ago

@dataflake It happens on Python 3.11 so it should install 5.3a1.dev0. 5.1 and 5.2 are not Python 3.11 compatible by python_requires in setup.py. I'll try to allow pre-released versions to get 5.3a1.dev0.

icemac commented 2 years ago

@dataflake Now the tests are green: We need to explicitly tell pip to use pre-released versions of the packages (RestrictedPython in this case). Could you please review the PR?

icemac commented 2 years ago

@dataflake We have a RestrictedPython release which can be used for Python 3.11, it is 5.3a1.dev0. As long there is no final version of Python 3.11 we cannot release a non-pre-release version of RestrictedPython as we are unable to check for security implications which might even be added in the last release candidate.

If we want to create a final RestrictedPython release first, we would have to wait until October to start testing Python 3.11, I think this is too late.

I could imagine only to allow pre-releases for future Python versions, if you think this would improve the situation.

dataflake commented 2 years ago

The whole concept of making a pre-release version of some package a dependency for any released packages is scaring me.

I would restrict that alpha dependency as far as possible. So for example, only ever allow it during testing and maybe only specifically during testing with Python 3.11.

There shouldn't be a situation where such an alpha dependency is loaded while installing this package on any of the officially supported Python versions, even if it happens by accident.

icemac commented 2 years ago

@dataflake I updated the configuration to allow pre-released versions just for future Python versions. Do you think it is better now?

icemac commented 2 years ago

Hm, it seems, I broke building the wheels so the tests try to build them again. Next time I'll look into it.