Build platform-specific wheels containing libmagic #294
Conversation
ddelange
changed the title
ddelange
force-pushed
the
abi3-wheels
branch
2 times, most recently
from
a98f13b to
dc9c393
Compare
ddelange
force-pushed
the
abi3-wheels
branch
12 times, most recently
from
d672b91 to
14f7dbb
Compare
ddelange
force-pushed
the
abi3-wheels
branch
from
14f7dbb to
ec952d7
Compare
|
This is nice! Hope this will be merged soon! Just ran into issues with my library being not usable by Mac and Windows users because I rely on
|
.github/workflows/main.yml
Outdated
| with: | ||
| files: dist/* | ||
|
|
||
| - name: Upload to PyPI |
There was a problem hiding this comment.
A small improvement here might be to use the PyPa Action instead: https://github.com/pypa/gh-action-pypi-publish
The big advantage is trusted publishing, instead of storing a password or token as a secret
There was a problem hiding this comment.
that's cool, thanks for sharing!
@ahupp shall I make that change and you set it up on PyPI side?
There was a problem hiding this comment.
Sounds like trusted publishing is the way to go. I recently got this email:
Hi ddelange!
Earlier this year, we announced that PyPI would require all users to enable a form of two-factor authentication on their accounts by the end of 2023.Keeping your PyPI account secure is important to all of us. We encourage you to enable two-factor authentication on your PyPI account as soon as possible.
What forms of 2FA can I use?
We currently offer two main forms of 2FA for your account:Security device including modern browsers (preferred) (e.g. Yubikey, Google Titan)
Authentication app (e.g. Google Authenticator)
Once one of these secure forms is enabled on your account, you will also need to use either Trusted Publishers (preferred) or API tokens to upload to PyPI.What do I do if I lose my 2FA device?
As part of 2FA enrollment, you will receive one-time use recovery codes. One of them must be used to confirm receipt before 2FA is fully active. Keep these recovery codes safe - they are equivalent to your 2FA device. Should you lose access > to your 2FA device, use a recovery code to log in and swap your 2FA to a new device.Read more aboutrecovery codes.
Why is PyPI requiring 2FA?
Keeping all users of PyPI is a shared responsibility we take seriously. Strong passwords combined with 2FA is a recognized secure practice for over a decade.We are requiring 2FA to protect your account and the packages you upload, and to protect PyPI itself from malicious actors. The most damaging attacks are account takeover and malicious package upload.
To see this and other security events for your account, visit your account security history.
Read more on this blog post.
If you run into problems, read the FAQ page. If the solutions there are unable to resolve the issue, contact us via support@pypi.org.
Thanks,
The PyPI Admins
There was a problem hiding this comment.
@ahupp so the last thing for you to do is adding this repo as trusted publisher to https://pypi.org/manage/project/python-magic/settings/publishing/
|
This is huge, thank you! Apology for the delay I thought I'd commented earlier but guess not. I'll look this over soon; I didn't quite understand how bad the binary dep situation was expecially on windows. |
|
@ahupp @stumpylog could we have this one merged (and released) by the end of the year please ? |
|
Hi! Great PR, is there any real contention about it beyond the scope of OS/distro support in Most users will only ever want the wheels from this repo. In particular, this looks like it will solidly cover usage in Docker images. Anyone who wants to use the source version and provide libmagic themselves, probably knows best how to do the latter in their environment. given info on where this package will look for the library. (Those who package python-magic for their Linux distro of choice will already have a preferred way of ensuring libmagic presence. This will probably not exactly match anything suggested in python-magic docs.) Even for those particularly invested in having a range of setup instructions, the PR in its current state should look like a clear improvement on master, and further improvements in that are will come more easily as separate PRs (because they won’t be tied to CI scripts). So: how about merging this without completing libmagic setup instructions for every possible platform? Seems like it already does what the PR title says. |
Totally for it. My suggestions just show the way to improve it, but I would merge it "as is" since it already provides a huge value. "Perfect is the enemy of good". @ahupp hopefully you can find some time to review this most discussed PR in the |
| tmpfile="$(mktemp)" && | ||
| curl -sSLo "${tmpfile}" "https://astron.com/pub/file/${version}.tar.gz" && | ||
| tar xvf "${tmpfile}" && |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Not a big deal, but if going with the piped curl output, personally I'd pair that with an explicit tar xvf -. Again, for the paranoid.
| import platform, sysconfig, io, zipfile, urllib.request | ||
| assert platform.system() == "Windows" | ||
| machine = "x86" if sysconfig.get_platform() == "win32" else "x64" | ||
| url = f"https://github.com/julian-r/file-windows/releases/download/v5.44/file_5.44-build104-vs2022-{machine}.zip" |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
@ahupp this also fixes failing CI on master (looks like the github actions linux runner image no longer ships libmagic by default) |
|
@ahupp please review, merge, add trusted publisher (see PR description) and release 🙏 |
|
Also would love to see this merged, it's causing some issues for windows users of our package (which depends on mocket which depends on python-magic). Thank you! 😄 |
|
@ahupp Speaking personally, this is a big, complex PR that I don't really feel qualified to approve given the scope and nature of all the changes here. I guess I'm in agreement with your #294 (comment)
OTOH, the PR has received a number of approvals as-is, so there's ample indication that others are satisfied with it in its current form. I left some comments, which were addressed, so my input certainly shouldn't be viewed as disapproval by any means. |
|
When will 0.4.28 be released? Like, this year? edit: sorry if it came out as rude. It takes quite some complexity to merge complex PR's. And asking a developer about when there is a new release, is never really the right thing. |
|
@ahupp This PR has 6 approvals, and from the looks of it, 0 controversy, would it be possible to review & pull it sometime soon? Thanks in advance!
|
|
I'm trying to understand what the current situation is with using libmagic for file type identification in Python, and I've found at least 13 separate packages on PyPI that are in various states of not being maintained -- of them, this PR seems to be the version that includes the most complete set of wheels with pre-compiled copies of libmagic (aside from not being available on PyPI). Would it make sense to create a fork of python-magic based on this PR by @ddelange, perhaps under an org with at least 2 maintainers that can review PRs and publish updated wheels to help minimize the burden for a single person and hopefully avoid adding to the unmaintained package count? @ahupp has done an great job with python-magic and this is in no way a criticism of their work or minimizing the time they've spent working on and maintaining it -- of the libmagic packages I found on PyPI, python-magic seems to be in by far the best overall shape. Life happens and situations change so time isn't as plentifully as it once was, and I know how it is for things to get really busy and maintaining an open source project can be draining, leading to burnout. This happens literally all the time (as evidenced by all of the libmagic PyPI packages that haven't been updated since before 2019). |
|
@ahupp fwiw I'm happy to become a maintainer of this project 👍 |
There is an ongoing debate on how to embed libmagic library in the pypi package. For windows we have to rely on python-magic-bin for the time being. See ahupp/python-magic#294
|
I would also be happy to help maintain. We use this in paperless-ngx, so I'm happy to work on keeping it up to date, resolving issues, etc |
…bi3-wheels * 'master' of https://github.com/ahupp/python-magic: update magic/compat.py simplify tests into something more delarative
|
Hi @ahupp 👋 I fixed the broken tests I just pulled from master. Did you forget to track the I also upgraded this PR to build wheels and run CI using the newly released Any response from you on this PR would be greatly appreciated 🙏 |
| with: | ||
| python-version: '3.x' | ||
|
|
||
| - run: sudo apt-get install -y libmagic1 |
There was a problem hiding this comment.
This will tell you that it is already installed on both Intel and ARM.
There was a problem hiding this comment.
Right. But do we want to rely on github bundling libmagic in their ubuntu-latest runner image?
Co-authored-by: Christian Clauss <cclauss@me.com>
Hi @ahupp 👋
This PR builds self-contained wheels as discussed in #233. For Windows users, this renders
python-magic-binfrom @julian-r obsolete.pip install these wheels
pip can install from GitHub Release assets from my fork:
The wheels:
.dylibon mac,.soon nix,.ddlon win) - no additional user action neededLinux architectures limited by availability: https://pkgs.org/search/?q=file-libsnow building from source on linuxwheels.ymlas trusted publisher hereCI/CD
dists build with official
cibuildwheelon GitHub Actions, and they build in parallel:fix #137, fix #288, fix #225, fix #276, fix #248, fix #87, fix #139, fix #233, fix #73, fix #60, fix #34, fix #293, fix #233, fix #278, fix #262, fix #248, fix #238, fix #145, fix #61, fix #12, fix #295, fix #311, fix #312, fix #313, fix #321, fix #332, fix #249, fix #333