A bunch of unrelated patches v1 PROPOSED

The first two patches are pyproject.toml metadata updates.

Patch #3 is untested and needs polishing, exchanging secrets etc.

Patch #4 fixes a minor annoyance for LibreSSL users.

Applied, thanks for the patch

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

Applied, thanks for the patch

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

Thanks for that patch. I merged it and added the secret part. 

But I can’t really test it until there’s a release. One option would be 
to remove the "if git_ref" code to test it, acknowledging that the Pypi 
2.6 would not be the true 2.6.

Anna (cybertailor) Vyalkova <cyber+misc@sysrq.in>

7 days ago

v2.6 is already uploaded manually, and PyPI will not overwrite existing 
versions.

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

Hi Anna,

Could you explain a bit more the context? If I understand this 
correctly, you would like the pypi package to be published automatically 
when pushing a new release?

Anna (cybertailor) Vyalkova <cyber+misc@sysrq.in>

8 days ago

Yes. One person was granted publishing access to PyPI after my initial 
call:
https://lists.sr.ht/~lioploum/offpunk-packagers/%3CZVefWLKUHk_QgL_A@sysrq.in%3E

But I checked PyPI yesterday, and there were no uploads for a year.

Also manual uploading is not the best choice for poorly vetted 
repositories like PyPI, where a malicious release can be easily 
uploaded.

Next

Am I supposed to get a secret token somewhere? And how can the secret be 
put in the build.yml?

Anna (cybertailor) Vyalkova <cyber+misc@sysrq.in>

8 days ago

Either I'll create a dedicated PyPI account, generate a PyPI token and 
send it to you encrypted in private, or add you to maintainers so you 
could get the token yourself.

The secret will look like an environment file named 
"~/.pypi-credentials" with the following content:

	export UV_PUBLISH_TOKEN=pypi-abcdef...

It can be added in the secrets dashboard:
https://builds.sr.ht/secrets

The resulting UUID will need to be inserted in build.yml, and commented 
lines uncommented.

Next

Also, I’m not sure I fully understand the code.

Anna (cybertailor) Vyalkova <cyber+misc@sysrq.in>

8 days ago

No problem, see my comments below.

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

Applied, thanks for the patch!

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

GIT_REF is set by git.sr.ht as the Git reference which triggered the 
build (e.g. refs/heads/master).

This expression uses pattern matching to make sure GIT_REF starts with 
"refs/tags/".

Maybe there should also be a check for repository name, so it isn't run 
on forks.

Remove "dist" if it exists.

Build a source distribution package and a wheel package.

Source PyPI credential from secrets.

Publish built packages to PyPI.

Le 25 mar 09 09:50, Anna  Vyalkova a écrit :

Le 25 mar 10 09:38, Anna  Vyalkova a écrit :

[PATCH 1/4] pyproject: use PEP 639 license metadata Export this patch

License classifiers and "project.license" subkeys are now deprecated.

SPDX expressions should be used instead:
https://peps.python.org/pep-0639/
---
 pyproject.toml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 2b8af81..cde9e8a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,5 +1,5 @@
 [build-system]
-requires = ["hatchling"]
+requires = ["hatchling>=1.5"]
 build-backend = "hatchling.build"
 
 [project]
@@ -11,11 +11,12 @@ authors = [
 maintainers = [
     {name = "Lionel Dricot (Ploum)", email = "offpunk2@ploum.eu"},
 ]
+license = "AGPL-3.0-or-later"
+license-files = ["LICENSE"]
 readme = "README.md"
 classifiers = [
     "Development Status :: 4 - Beta",
     "Environment :: Console",
-    "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)",
     "Operating System :: OS Independent",
     "Programming Language :: Python :: 3 :: Only",
     "Topic :: Communications",
@@ -25,9 +26,6 @@ keywords = ["gemini", "browser"]
 requires-python = ">=3.7"
 dynamic = ["version", "description"]
 
-[project.license]
-file = "LICENSE"
-
 [project.optional-dependencies]
 better-tofu = ["cryptography"]
 chardet = ["chardet"]
-- 
2.48.1

Ploum <sourcehut24@ploum.eu>

9 days ago

Applied, thanks for the patch

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

[PATCH 2/4] pyproject: add a dependency group for tests Export this patch

Could be used with test runners like Tox.

See: https://peps.python.org/pep-0735/
---
 pyproject.toml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index cde9e8a..a2a74ac 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -45,6 +45,12 @@ netcache = "netcache:main"
 ansicat = "ansicat:main"
 opnk = "opnk:main"
 
+[dependency-groups]
+test = [
+    "pytest",
+    "pytest-mock",
+]
+
 [tool.hatch.version]
 path = "offpunk.py" # read __version__
 
-- 
2.48.1

Ploum <sourcehut24@ploum.eu>

9 days ago

Applied, thanks for the patch

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

[PATCH 3/4] build.yml: support publishing to PyPI Export this patch

It needs UV_PUBLISH_TOKEN environment variable configured:
https://docs.astral.sh/uv/guides/package/#publishing-your-package

Commented the publishing part for now, because it requires actual
secrets.
---
 .build.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.build.yml b/.build.yml
index bac87f3..d9ec6ff 100644
--- a/.build.yml
+++ b/.build.yml
@@ -1,10 +1,24 @@
-image: alpine/3.19
+image: alpine/latest
 oauth: pages.sr.ht/PAGES:RW
 packages:
 - hut
+- uv
+#secrets:
+#  - insert-uuid-here # pypi credentials
 environment:
   site1: offpunk.net
 tasks:
+- publish-pypi: |
+    if [[ ${GIT_REF} != refs/tags/* ]]; then
+      echo "Current commit is not a tag; not building anything"
+      exit 0
+    fi
+
+    rm -rf dist
+    uv build
+
+    #. ~/.pypi-credentials
+    #uv publish dist/*
 - package-gemini: |
     cd offpunk/tutorial
     tar -cvzh . > ../../capsule.tar.gz
-- 
2.48.1

Ploum <sourcehut24@ploum.eu>

8 days ago

Thanks for that patch. I merged it and added the secret part. 

But I can’t really test it until there’s a release. One option would be 
to remove the "if git_ref" code to test it, acknowledging that the Pypi 
2.6 would not be the true 2.6.


Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

Ploum <sourcehut24@ploum.eu>

9 days ago

Hi Anna,

Could you explain a bit more the context? If I understand this 
correctly, you would like the pypi package to be published automatically 
when pushing a new release?

Am I supposed to get a secret token somewhere? And how can the secret be 
put in the build.yml?

Also, I’m not sure I fully understand the code.

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :

[PATCH 4/4] disable a urllib3 warning shown to LibreSSL users Export this patch

Context: https://github.com/urllib3/urllib3/issues/3020
---
 netcache.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/netcache.py b/netcache.py
index da66e7a..c43206b 100755
--- a/netcache.py
+++ b/netcache.py
@@ -11,6 +11,7 @@ import ssl
 import sys
 import time
 import urllib.parse
+import warnings
 from ssl import CertificateError
 
 import ansicat
@@ -35,7 +36,10 @@ try:
 except (ModuleNotFoundError, ImportError):
     _HAS_CRYPTOGRAPHY = False
 try:
-    import requests
+    with warnings.catch_warnings():
+        # Disable annoying warning shown to LibreSSL users
+        warnings.simplefilter("ignore")
+        import requests
 
     _DO_HTTP = True
 except (ModuleNotFoundError, ImportError):
-- 
2.48.1

Ploum <sourcehut24@ploum.eu>

9 days ago

Applied, thanks for the patch!

Le 25 mar 08 06:12, Anna “CyberTailor” a écrit :