Setuptools version 78.0.1 breaks install of many packages

22 points by computronus 3 months ago | 12 comments
  • lopuhin 3 months ago
    Crazy amount of breakage...

    Here is a PR which reverts this: https://github.com/pypa/setuptools/pull/4911

    Interesting that maintainers of setuptools still only postpone the depreciation date for a year, so we can probably expect more issues like this in the future.

  • andenacitelli 3 months ago
    From what I gather this has basically derailed CI for the morning for the majority of places out there. Only workaround is pinning build-time dependencies, which only pip and uv seem to let you do well. Poetry is SOL / heavily cache-dependent as to whether it works.
    • andenacitelli 3 months ago
      They yanked the relevant change and pushed a new one with a revert, this is now resolved

      Took them seemingly forever to do. The reversion, sure, that might take a bit to proof, but the yank should have been done way sooner

    • brtkwr 3 months ago
      Probably 78.0.0 as well which was released yesterday. The diff between 78.0.0 and 78.0.1 appears to be no-op from user perspective https://github.com/pypa/setuptools/compare/v78.0.0...v78.0.1
      • shadowgovt 3 months ago
        A yank may not actually be warranted in this circumstance. The change works for most users of setuptools; it's only a very specific configuration of (build-environment, setuptools-version, third-party-dependency) that can cause an issue.

        This is one of those situations where the scale of the software package is so large that even if only 0.1% of users had issue, that's a number representing tens of thousands of people.

      • computronus 3 months ago
        The original report is just for ansible-vault, but comments indicate widespread effects, hence the altered title here.
        • jarboot 3 months ago
          The current approach of the maintainers terrifies me -- de facto standards should be respected. Even if something is invalid like `description-file`, if it is present in 12k repos it should raise a warning and not break anything.

          In the rationale for this that I can find [1], a maintainer says the following:

          > I'm inclined to say we should do it, even though it will cause some disruption.

          They also say an alternative is to "accept the status quo", which is exactily what they should be doing. I can't find maintainers giving a compelling reason not to support this status quo of `long-description` as an alias to `long_description` besides "simplifying code." Code simplification should never take precedence over massive breakage of compatibility.

          [1] https://github.com/pypa/setuptools/pull/4870#pullrequestrevi...

          • HereBeBeasties 3 months ago
            It seems that the person who did this acted unilaterally, with no code review, and ignored (then disabled) broken tests while landing this (https://github.com/pypa/setuptools/pull/4909). One should not be too harsh - he seems to be a student. One perhaps should be more harsh on the commerical entity sponsoring the project, though - setuptools is sponsored by Sonar via "Tidelift". According to https://tidelift.com/subscription/pkg/pypi-setuptools:

            > The maintainers of setuptools get paid by Tidelift to

            > implement industry-leading secure software development

            > practices and document the practices they follow.

            Well, that really doesn't seem so in this case now, does it?

            • Numerlor 3 months ago
              I'm usually of the opinion of just removing stuff when it needs to be gone, but this is really an incosequential change to the setuptools code compared to how many problems it caused
              • jarboot 3 months ago
                "Needs to be gone" is the operative phrase here. An alias of `description-long` to `description_long` has no specific technical need to be removed.

                The conditions that lead to having two tokens pointing to the same functionality should be prevented, but in this case it is a "de facto" alias which no amount reasonable amount of labor could fix.

            • 3 months ago