[PATCH 0/3] Add python-bandit.

[PATCH 0/3] Add python-bandit.

[Cyril Roelandt]

The first and third patches are probably easy to review. The second one is a bit
tricky. As explained in the comment, there is a circular dependency between
recent versions of python-pbr and python-fixtures, so I packaged older versions
of both python-pbr and python-fixtures to bootstrap the whole thing.

I did not use "inherit" because newer versions of these packages have become
quite different from the old versions, so it might just be clearer to write a
separate definition. Also, python-pbr-0.11 is defined in python.scm, next to
python-fixtures, which should be the only package that will ever need it (or so
I hope). Maybe it would be better to move it next to python-pbr, in
openstack.scm?

Finally, note that python-testrepository does not build well with the latest
version of python-fixtures, so we keep using python-fixtures-0.3.16 for now.


Cyril.
--

Cyril Roelandt (3):
  gnu: Add python-pip.
  gnu: Update python-fixtures
  gnu: Add python-bandit.

 gnu/packages/openstack.scm |  40 +++++++++++++++++
 gnu/packages/python.scm    | 107 ++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 145 insertions(+), 2 deletions(-)

-- 
2.1.4

[PATCH 1/3] gnu: Add python-pip.

[Cyril Roelandt]

* gnu/packages/python.scm (python-pip, python2-pip): New variables.
---
 gnu/packages/python.scm | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 798a22f..a8d811e 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -4916,3 +4916,35 @@ printing of sub-tables by specifying a row range.")
 
 (define-public python2-prettytable
   (package-with-python2 python-prettytable))
+
+(define-public python-pip
+  (package
+    (name "python-pip")
+    (version "7.1.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://pypi.python.org/packages/source/p/pip/pip-"
+             version ".tar.gz"))
+       (sha256
+        (base32
+         "0xx4aypfgchxdknxq7gyqghd8wb221zrzyqlbabzm32jy237j16a"))))
+    (build-system python-build-system)
+    (inputs
+      `(("python-setuptools" ,python-setuptools)
+        ("python-virtualenv" ,python-virtualenv)
+        ;; Tests
+        ("python-mock" ,python-mock)
+        ("python-pytest" ,python-pytest)
+        ("python-scripttest" ,python-scripttest)))
+    (home-page "https://pip.pypa.io/")
+    (synopsis
+      "The PyPA recommended tool for installing Python packages")
+    (description
+      "Pip is a package manager for Python software, that finds packages on the
+Python Package Index (PyPI).")
+    (license license:expat)))
+
+(define-public python2-pip
+  (package-with-python2 python-pip))
-- 
2.1.4

[PATCH 2/3] gnu: Update python-fixtures

[Cyril Roelandt]

* gnu/packages/python.scm (python-fixtures): Update.
* gnu/packages/python.scm (python-fixtures-0.3.16,
  python2-fixtures-0.3.16, python-pbr-0.11,
  python2-pbr-0.11): New variables.
* gnu/packages/python.scm (python-testrepository): Use python-fxitures-0.3.16
  instead of python-fixtures in the inputs.
---
 gnu/packages/python.scm | 75 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 73 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index a8d811e..a3de1a7 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -1675,7 +1675,14 @@ protocol.")
 (define-public python2-subunit
   (package-with-python2 python-subunit))
 
-(define-public python-fixtures
+;; Recent versions of python-fixtures need a recent version of python-pbr,
+;; which needs a recent version of python-fixtures. To fix this circular
+;; dependency, we keep old versions of python-fixtures and python-pbr to
+;; bootstrap the whole thing:
+;; - python-fixtures-0.3.16 is used to build python-pbr-0.11
+;; - python-pbr-0.11 is used to build python-fixtures
+;; - python-fixtures is used to build python-pbr
+(define-public python-fixtures-0.3.16
   (package
     (name "python-fixtures")
     (version "0.3.16")
@@ -1700,6 +1707,70 @@ protocol.")
 Python tests.")
     (license (list bsd-3 asl2.0)))) ; at user's option
 
+(define-public python2-fixtures-0.3.16
+  (package-with-python2 python-fixtures-0.3.16))
+
+(define-public python-pbr-0.11
+  (package
+    (name "python-pbr")
+    (version "0.11.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://pypi.python.org/packages/source/p/pbr/pbr-"
+             version ".tar.gz"))
+       (sha256
+        (base32
+         "0v9gb7gyqf7q9s99l0nnjj9ww9b0jvyqlwm4d56pcyinxydddw6p"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f)) ;; Most tests seem to use the Internet.
+    (inputs
+      `(("python-fixtures-0.3.16" ,python-fixtures-0.3.16)
+        ("python-pip" ,python-pip)
+        ("python-setuptools" ,python-setuptools)))
+    (home-page "https://launchpad.net/pbr")
+    (synopsis "Change the default behavior of Python’s setuptools")
+    (description
+      "Python Build Reasonableness (PBR) is a library that injects some useful
+and sensible default behaviors into your setuptools run.")
+    (license asl2.0)))
+
+(define-public python2-pbr-0.11
+  (package-with-python2 python-pbr-0.11))
+
+(define-public python-fixtures
+  (package
+    (name "python-fixtures")
+    (version "1.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://pypi.python.org/packages/source/f/fixtures/fixtures-"
+             version ".tar.gz"))
+       (sha256
+        (base32
+         "1khpywdh91ijryhxjxiyyi5rmbimhl8hwbbf8lazhgzq6yxz6g5n"))))
+    (build-system python-build-system)
+    (propagated-inputs
+     `(("python-six" ,python-six)
+       ("python-pbr-0.11" ,python-pbr-0.11)))
+    (inputs
+     `(("python-pip" ,python-pip)
+       ("python-setuptools" ,python-setuptools)
+       ;; Tests
+       ("python-testtools" ,python-testtools)))
+    (arguments
+     '(#:tests? #f)) ; no setup.py test command
+    (home-page "https://launchpad.net/python-fixtures")
+    (synopsis "Python test fixture library")
+    (description
+     "Fixtures provides a way to create reusable state, useful when writing
+Python tests.")
+    (license (list bsd-3 asl2.0)))) ; at user's option
+
 (define-public python2-fixtures
   (package-with-python2 python-fixtures))
 
@@ -1718,7 +1789,7 @@ Python tests.")
          "1ssqb07c277010i6gzzkbdd46gd9mrj0bi0i8vn560n2k2y4j93m"))))
     (build-system python-build-system)
     (propagated-inputs
-     `(("python-fixtures" ,python-fixtures)
+     `(("python-fixtures-0.3.16" ,python-fixtures-0.3.16)
        ("python-testtools" ,python-testtools)))
     (inputs
      `(("python-setuptools" ,python-setuptools)
-- 
2.1.4

[PATCH 3/3] gnu: Add python-bandit.

[Cyril Roelandt]

* gnu/packages/openstack.scm (python-bandit, python2-bandit): New variables.
---
 gnu/packages/openstack.scm | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/gnu/packages/openstack.scm b/gnu/packages/openstack.scm
index 39584d5..4fd1c80 100644
--- a/gnu/packages/openstack.scm
+++ b/gnu/packages/openstack.scm
@@ -25,6 +25,46 @@
                 #:select (asl2.0))
   #:use-module (guix packages))
 
+(define-public python-bandit
+  (package
+    (name "python-bandit")
+    (version "0.13.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://pypi.python.org/packages/source/b/bandit/bandit-"
+             version ".tar.gz"))
+       (sha256
+        (base32
+         "03g3cflvrc99ncjd611iy5nnnscsc2vgnrx4mjaqyx8glbfw8y7g"))))
+    (build-system python-build-system)
+    (propagated-inputs
+      `(("python-appdirs" ,python-appdirs)
+        ("python-pyyaml" ,python-pyyaml)
+        ("python-six" ,python-six)
+        ("python-stevedore" ,python-stevedore)))
+    (inputs
+      `(("python-pbr" ,python-pbr)
+        ("python-setuptools" ,python-setuptools)
+        ;; Tests
+        ("python-fixtures" ,python-fixtures)
+        ("python-mock" ,python-mock)
+        ("python-testrepository" ,python-testrepository)
+        ("python-testscenarios" ,python-testscenarios)
+        ("python-testtools" ,python-testtools)))
+    (home-page "https://wiki.openstack.org/wiki/Security/Projects/Bandit")
+    (synopsis "Security oriented static analyser for python code.")
+    (description
+      "Bandit is a tool designed to find common security issues in Python code.
+To do this Bandit processes each file, builds an AST from it, and runs
+appropriate plugins against the AST nodes.  Once Bandit has finished scanning
+all the files it generates a report.")
+    (license asl2.0)))
+
+(define-public python2-bandit
+  (package-with-python2 python-bandit))
+
 (define-public python-debtcollector
   (package
     (name "python-debtcollector")
-- 
2.1.4

Re: [PATCH 1/3] gnu: Add python-pip.

[Mathieu Lirzin]

Cyril Roelandt <tipecaml@gmail.com> writes:

> * gnu/packages/python.scm (python-pip, python2-pip): New variables.
> ---
>  gnu/packages/python.scm | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)

[...]

> +    (home-page "https://pip.pypa.io/")
> +    (synopsis
> +      "The PyPA recommended tool for installing Python packages")
                   ^^^

IMO Pypa recommandations are not relevant in Guix context.  What about
something more neutral like “Xenophobic package manager”? ;) Just
kidding.

I would prefer 

    (synopsis "Package manager for Python software")

> +    (description
> +      "Pip is a package manager for Python software, that finds packages on the
> +Python Package Index (PyPI).")

It would be nice to have a more verbose description, for example
describing its main features...  Sorry I can't help much :)

> +    (license license:expat)))
> +
> +(define-public python2-pip
> +  (package-with-python2 python-pip))

Otherwise LGTM!

--
Mathieu Lirzin

Re: [PATCH 2/3] gnu: Update python-fixtures

[Mathieu Lirzin]

I can't help much about the circular dependency problem.  I think it is
important to avoid propagation of inputs from old versions, but I don't
know if this is feasible.  Here are my usual cosmetic comments :)


Cyril Roelandt <tipecaml@gmail.com> writes:

> * gnu/packages/python.scm (python-fixtures): Update.
> * gnu/packages/python.scm (python-fixtures-0.3.16,
>   python2-fixtures-0.3.16, python-pbr-0.11,
>   python2-pbr-0.11): New variables.
> * gnu/packages/python.scm (python-testrepository): Use python-fxitures-0.3.16
                                                                ^^^
                                                                fixtures
>   instead of python-fixtures in the inputs.

[...]

> +(define-public python-pbr-0.11
> +  (package
> +    (name "python-pbr")
> +    (version "0.11.0")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (string-append
> +             "https://pypi.python.org/packages/source/p/pbr/pbr-"
> +             version ".tar.gz"))
> +       (sha256
> +        (base32
> +         "0v9gb7gyqf7q9s99l0nnjj9ww9b0jvyqlwm4d56pcyinxydddw6p"))))
> +    (build-system python-build-system)
> +    (arguments
> +     `(#:tests? #f)) ;; Most tests seem to use the Internet.

     `(#:tests? #f))                    ;most tests seem to use the internet

--
Mathieu Lirzin

Re: [PATCH 2/3] gnu: Update python-fixtures

[Thompson, David]

On Mon, Sep 21, 2015 at 6:31 PM, Cyril Roelandt <tipecaml@gmail.com> wrote:
> * gnu/packages/python.scm (python-fixtures): Update.
> * gnu/packages/python.scm (python-fixtures-0.3.16,
>   python2-fixtures-0.3.16, python-pbr-0.11,
>   python2-pbr-0.11): New variables.
> * gnu/packages/python.scm (python-testrepository): Use python-fxitures-0.3.16
>   instead of python-fixtures in the inputs.

One package update or new package per patch, please.

- Dave

Re: [PATCH 2/3] gnu: Update python-fixtures

[Cyril Roelandt]

On 09/22/2015 09:16 PM, Thompson, David wrote:
> On Mon, Sep 21, 2015 at 6:31 PM, Cyril Roelandt <tipecaml@gmail.com> wrote:
>> * gnu/packages/python.scm (python-fixtures): Update.
>> * gnu/packages/python.scm (python-fixtures-0.3.16,
>>   python2-fixtures-0.3.16, python-pbr-0.11,
>>   python2-pbr-0.11): New variables.
>> * gnu/packages/python.scm (python-testrepository): Use python-fxitures-0.3.16
>>   instead of python-fixtures in the inputs.
> 
> One package update or new package per patch, please.
> 

I know it is usually done like this, but I feel this is a bit special,
since all these changes are only done in order to update
python-fixtures. I could have:

1) renamed python-fixtures to python-fixtures-0.3.16 and changed inputs
from "python-fixtures" to "python-fixtures-0.3.16" for all packages that
depend on fixtures
2) added python-pbr-0.11
3) added python-fixtures
4) changed inputs from "python-fixtures-0.3.16" to "python-fixtures" for
all packages that depend on fixtures

But I feel it would be incredibly confusing when looking at "git log". WDYT?

Cyril.

Re: [PATCH 2/3] gnu: Update python-fixtures

[Ludovic Courtès]

Cyril Roelandt <tipecaml@gmail.com> skribis:

> On 09/22/2015 09:16 PM, Thompson, David wrote:
>> On Mon, Sep 21, 2015 at 6:31 PM, Cyril Roelandt <tipecaml@gmail.com> wrote:
>>> * gnu/packages/python.scm (python-fixtures): Update.
>>> * gnu/packages/python.scm (python-fixtures-0.3.16,
>>>   python2-fixtures-0.3.16, python-pbr-0.11,
>>>   python2-pbr-0.11): New variables.
>>> * gnu/packages/python.scm (python-testrepository): Use python-fxitures-0.3.16
>>>   instead of python-fixtures in the inputs.
>> 
>> One package update or new package per patch, please.
>> 
>
> I know it is usually done like this, but I feel this is a bit special,
> since all these changes are only done in order to update
> python-fixtures. I could have:
>
> 1) renamed python-fixtures to python-fixtures-0.3.16 and changed inputs
> from "python-fixtures" to "python-fixtures-0.3.16" for all packages that
> depend on fixtures
> 2) added python-pbr-0.11
> 3) added python-fixtures
> 4) changed inputs from "python-fixtures-0.3.16" to "python-fixtures" for
> all packages that depend on fixtures
>
> But I feel it would be incredibly confusing when looking at "git log". WDYT?

Yeah, two commits would do IMO: one to add python-pbr-0.11, and the
other one for the rest.

Could you do that?  This patch series needs to go in before it
accumulates dust.

Thanks,
Ludo’.

Re: [PATCH 2/3] gnu: Update python-fixtures

[Cyril Roelandt]

On 09/27/2015 10:17 PM, Ludovic Courtès wrote:
> Yeah, two commits would do IMO: one to add python-pbr-0.11, and the
> other one for the rest.
> 
> Could you do that?  This patch series needs to go in before it
> accumulates dust.

No, it'd be a bloody pain.

If I just add python-pbr-0.11, then I'd have to change its inputs in the
next patch (python-fixtures -> python-fixtures-0.3.16), so it adds weird
stuff in the next commit.

The thing is, this is a terrible mess, and the only way to have
something easily understandable in the git history is to do this in one
single, clean commit. I'm already having a hard time resisting the urge
of writing a 3-paragraph commit log to explain everything ;)


Cyril.

Re: [PATCH 2/3] gnu: Update python-fixtures

[Ludovic Courtès]

Cyril Roelandt <tipecaml@gmail.com> skribis:

> On 09/27/2015 10:17 PM, Ludovic Courtès wrote:
>> Yeah, two commits would do IMO: one to add python-pbr-0.11, and the
>> other one for the rest.
>> 
>> Could you do that?  This patch series needs to go in before it
>> accumulates dust.
>
> No, it'd be a bloody pain.
>
> If I just add python-pbr-0.11, then I'd have to change its inputs in the
> next patch (python-fixtures -> python-fixtures-0.3.16), so it adds weird
> stuff in the next commit.
>
> The thing is, this is a terrible mess, and the only way to have
> something easily understandable in the git history is to do this in one
> single, clean commit. I'm already having a hard time resisting the urge
> of writing a 3-paragraph commit log to explain everything ;)

Well OK, if that’s what it takes, let’s do it.

Thanks,
Ludo’.