-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Produce a pure-Python verification API #770
Comments
charset-normalizer has a universal wheel too |
Multidict claims that the library has optional C Extensions for speed. There's no universal wheel though, this will need a closer look. |
Interesting, I wonder why they ship impure wheels as well. |
To address
On that front, there's currently an effort (which I'm working on with others at ToB) to support X.509 path building in TL;DR: When path validation is merged, it should be possible to eliminate Removing
|
Documenting the native code requirements is a very good idea, but for the end goal we'll also want to look at the dependency tree as a whole: if the subset of the dependency tree (that is not part of e.g. pip dependency tree already) is too large, then pip maintainers might not be enthusiastic about vendoring attempts. The point I'm making is that putting a lot of effort into fixing the native code situation is not useful if the end result will still be unacceptable for vendoring because of the size of the dependency tree... |
This looks like a build system issue: it's supported but the CD builder just doesn't build the universal wheel |
Description
Some installers that may want to eventually perform signature verification have a hard requirement that all their dependencies are pure-Python (
pip
is the predominant example, because it vendors all its dependencies into a single pure-Python wheel).Because
sigstore-python
has sub-dependencies that ship non-pure Python wheels, it's not immediately usable from these installers. However, installers will specifically only use a subset of our overall API (presumably just verification) and might not have a need for all the dependencies we have with native code.Given that, we should:
At a high level, looking at current sub-dependencies that ship non-pure Python wheels or have sub-dependencies that ship non-pure Python wheels shows the following:
cffi==1.15.1
(impure)cryptography==41.0.3
(impure)pyopenssl==23.2.0
(pure)cryptography==41.0.3
(impure)charset-normalizer==3.2.0
(impure)requests==2.31.0
(pure)multidict==6.0.4
(impure)grpclib==0.4.5
(pure)betterproto==2.0.0b5
(pure)sigstore-protobuf-specs==0.1.0
(pure)pydantic==1.10.12
(impure) (this will be resolved in our 2.0 release when we upgrade topydantic >= 2,< 3
)id==1.1.0
(pure)The text was updated successfully, but these errors were encountered: