GH-109408: Add a ``make lint`` target by AA-Turner · Pull Request #122333 · python/cpython
Who vouches for the security of the software that make lint will install on my machine?
Who vouches for the security of the software that
make lintwill install on my machine?
It is installed in a virtual environment. We already require folks to install third-party dependencies for extension module, not to mention various compiler toolchains for building.
Yup. For pip & setuptools it's PyPA; for compilers it's (for me) the distro. Here it's harder to keep up.
Repeating Greg's comment from the Discourse thread re naming:
What I could potentially imagine as nicer than
make patchcheckormake lintis actuallymake push… that runs meaningful checks that must pass prior to doing a git push of my branch to a git repo name of my choosing.
Who vouches for the security of the software that
make lintwill install on my machine?
...
For pip & setuptools it's PyPA; for compilers it's (for me) the distro. Here it's harder to keep up.
I think there are a couple of approaches we could take here. One is to use the pre-commit binary from the OS if it is installed, which allows you to trust your OS distribution (e.g. fedora, debian, gentoo). Another is to pin the version of pre-commit, and require a committer to update the pin. A third is to vendor pre-commit within CPython's source tree.
On a more philosophical level, I'm not sure the level of assurance we can provide -- to take the PyPA per your example, they provide a high level governance framework, rather than managing individual projects. A good example might be the documentation, where we pull in Sphinx, sphinxext-opengraph, sphinx-notfound-page, and many dependencies. There is no CPython assurance of any of these projects (beyond perhaps 'blurb' and 'python-docs-theme').
My proposal would be to use an OS-provided binary if it exists, which would also benefit in avoiding a venv if the user has pre-commit globally installed. Would this alleviate your concerns?
A
Also it is not required to install it locally, it runs on CI in any case.
Also it is not required to install it locally, it runs on CI in any case.
Yep. You don't need to install this, @encukou; it's optional :)
use the pre-commit binary from the OS if it is installed
The pre-commit binary is one thing. Another is the individual linters. They are installed from mutable tags on GitHub, and AFAIK, we don't have a policy for adding new ones or updating existing ones.
to take the PyPA per your example, they provide a high level governance framework, rather than managing individual projects.
Right, I said PyPA for short. The long story is that pip and setuptools are maintained by specific PyPA members, with (usually) close ties to the core dev team.
Still, it's something to keep in mind as a potential attack vector for getting into core devs' (and contributors') systems.
documentation, where we pull in Sphinx, sphinxext-opengraph, sphinx-notfound-page, and many dependencies
Yes. That's another place where I think we could improve handling the security implications.
You don't need to install this, @encukou; it's optional :)
Sure, I'm not really planning to use this.
But, while we're all used to pip downloading code from the 'net, having a make command do that is much more surprising -- at least to me.
[edited to add:] It feels like CPython should vouch for the security of its make targets.
This PR is stale because it has been open for 30 days with no activity.