guac VS setuptools

Interestingly I sort of went in the other direction at one point -- converting what was obviously a graph (build pipelines) into a from-to / credit-debit representation. On reflection it's just an edge list.

My main problem with adapting the representation was in the incommensurability of different kinds of asset moving through the pipeline. How does one credit source code and debit a blob store? I thought about learning more about multi-currency accounting as a source for ideas but never followed it up.

That effort inspired my thinking about a "Universal Asset Graph" for software[0] -- keeping track of not just containment but also movement and transformation of software. It's a partial but not complete inspiration for GUAC, which aims to capture software part relations for easy querying.

[0] https://theoryof.predictable.software/articles/some-requirem...

[1] https://guac.sh

> biggest takeaway from this article is the Supply chain Levels for Software Artifacts (SLSA) security framework

See also GUAC from Kusari, Google, Citi, and others:

“GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.”

https://guac.sh

https://www.kusari.dev

To be fair, that seems to have been a 2 year warning:

https://github.com/pypa/setuptools/commit/3544de73b3662a27fa...

There was/is some discussion in setuptools about how to normalize the tarball (https://github.com/pypa/setuptools/issues/2133#issuecomment-...) coudl something similar be applied to Building Python itself ?

❯ yay -Sy python-setuptools python-jaraco.text ❯ pip show setuptools Name: setuptools Version: 67.7.0 Summary: Easily download, build, install, upgrade, and uninstall Python packages Home-page: https://github.com/pypa/setuptools Author: Python Packaging Authority Author-email: [email protected] License: Location: /usr/lib/python3.11/site-packages Requires: jaraco.text, more-itertools, ordered-set, packaging, platformdirs, tomli, validate-pyproject Required-by: Cerberus, fs, httpie, input-remapper, pecan, pycountry, python-lsp-server, reuse, setuptools-scm, zc.lockfile

Link: https://github.com/pypa/setuptools/issues/3772

For example, when it comes to Python, one option is to use the same packaging system that a huge number of open-source libraries and tools are published with. You can use setuptools or Hatch to build a "packaged" version of your code, and publish it to either the public PyPi repository or an internal one that you set up. Then your users can use pip to install your package, automatically fetch its dependencies, and keep it up to date, just like any other Python module.

You could maybe make it a click Application, and use setuptools.

Not sure how advisable it is to depend on setup.py given the setuptools team has very clearly stated that they are not interested in supporting any cli commands anymore including setup.py install. Relavant PR