Tootfinder

After some refactoring, learning about `hatch`, moving more files around, and generally abusing `test.pypi.org`: I've uploaded `diceparse` to PyPI. Still need to update the web documentation, but it now feels like a proper project at this point.
I still need to add a CLI part so you can just roll dice after installing the package, but I'll handle that later. Also need to tweak the README.md a bit as well...

So, @… is working on using LLMs to process XML Except for, the models can’t write legal XML. So he’s using the model to generate a sloppy-XML parser: https://lucumr.pocoo.org/202…

My First Open Source AI Generated Library
In a first for me, I published some agentic programmed AI slop to PyPI.

A first look at License Variants in the PyPI Ecosystem
Weiwei Xu, Hengzhi Ye, Kai Gao, Minghui Zhou
https://arxiv.org/abs/2507.14594 https://

A first look at License Variants in the PyPI Ecosystem
Open-source licenses establish the legal foundation for software reuse, yet license variants, including both modified standard licenses and custom-created alternatives, introduce significant compliance complexities. Despite their prevalence and potential impact, these variants are poorly understood in modern software systems, and existing tools do not account for their existence, leading to significant challenges in both effectiveness and efficiency of license analysis. To fill this knowledge g…

this looks like a useful python package https://pypi.org/project/cramjam/

Hi Pythonistas! Previously, I was able to use the Trove classifier
Private :: Do Not Upload
to prevent packages from being accidentally uploaded to PyPI. Is there a similar option with the PEP 639 licence expression?
@… #Python

python_dependency: Python Dependency Network
Python's package dependency networks. Nodes in the network are Python's packages registered to PyPI and edges are dependencies among packages.
This network has 58743 nodes and 108399 edges.
Tags: Technological, Software, Unweighted
https://networks.sk…

y'all have no idea how much work on all levels went into this little beta release 😅
https://pypi.org/project/cffi/2.0.0b1/

python_dependency: Python Dependency Network
Python's package dependency networks. Nodes in the network are Python's packages registered to PyPI and edges are dependencies among packages.
This network has 58743 nodes and 108399 edges.
Tags: Technological, Software, Unweighted
https://networks.sk…

Tak, tak, zdecydowanie należy sforkować #PythonRequests, i przy okazji kilka innych ważnych bibliotek Pythona jako zależności, i jeszcze dodać kilka własnych wynalazków. No i zdecydowanie należy przy tym nadpisywać oryginalne biblioteki. Co może pójść nie tak?

python_dependency: Python Dependency Network
Python's package dependency networks. Nodes in the network are Python's packages registered to PyPI and edges are dependencies among packages.
This network has 58743 nodes and 108399 edges.
Tags: Technological, Software, Unweighted
https://networks.sk…

New reason not to use #PythonPoetry just dropped: they reinvented "reproducible builds", poorly. The problem is, they missed the purpose of reproducible builds entirely and they use it for source distributions too, and when you don't use SOURCE_DATE_EPOCH, they force all files to epoch (as in timestamp 0) instead of leaving them alone.
Like, all source distributions created by Poetry and uploaded to #PyPI now have 1970 timestamps that, simply speaking, break stuff. The most absurd thing is that ZIP can't handle that timestamp, so they override it and use another date for wheels 🤦.
#Gentoo #PEP517

python_dependency: Python Dependency Network
Python's package dependency networks. Nodes in the network are Python's packages registered to PyPI and edges are dependencies among packages.
This network has 58743 nodes and 108399 edges.
Tags: Technological, Software, Unweighted
https://networks.sk…

PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python
Jacob Mahon, Chenxi Hou, Zhihao Yao
https://arxiv.org/abs/2507.18075 https://

PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python
Python software development heavily relies on third-party packages. Direct and transitive dependencies create a labyrinth of software supply chains. While it is convenient to reuse code, vulnerabilities within these dependency chains can propagate through dependencies, potentially affecting down-stream packages and applications. PyPI, the official Python package repository, hosts many packages and lacks a comprehensive analysis of the prevalence of vulnerable dependencies. This paper introduces…

Analyzing C/C Library Migrations at the Package-level: Prevalence, Domains, Targets and Rationals across Seven Package Management Tools
Haiqiao Gu, Yiliang Zhao, Kai Gao, Minghui Zhou
https://arxiv.org/abs/2507.03263

Analyzing C/C++ Library Migrations at the Package-level: Prevalence, Domains, Targets and Rationals across Seven Package Management Tools
Library migration happens when a library can not meet the project's requirements and is non-trivial to accomplish. To mitigate the problem, substantial efforts have been devoted to understanding its characteristics and recommending alternative libraries, especially for programming language (PL) ecosystems with a central package hosting platform, such as Python (PyPI). However, to the best of our knowledge, understanding of C/C++ library migrations is still lacking, possibly due to challenges re…

python_dependency: Python Dependency Network
Python's package dependency networks. Nodes in the network are Python's packages registered to PyPI and edges are dependencies among packages.
This network has 58743 nodes and 108399 edges.
Tags: Technological, Software, Unweighted
https://networks.sk…

A while ago, I've followed the example given by #Fedora and unbundled ensurepip wheels from #Python in #Gentoo (just checked — "a while ago" was 3 years ago). This had the important advantage that it enabled us to update these wheels along with the actual pip and setuptools packages, meaning new virtual environments would get fresh versions rather than whatever CPython happened to bundle at the time of release.
I had considered using our system packages to prepare these wheels, but since we were already unbundling dependencies back then, that couldn't work. So I just went with fetching upstream wheels from PyPI. Why not build them from source instead? Well, besides feeling unnecessary (it's not like the PyPI wheels are actually binary packages), we probably didn't have the right kind of eclass support for that at the time.
Inspired by @…, today I've tried preparing new revisions of ensurepip packages that actually do build everything from source. So what changed, and why should building from source matter now? Firstly, as part of the wheel reuse patches, we do have a reasonably clean architecture to grab the wheels created as part of the PEP517 build. Secondly, since we're unbundling dependencies from pip and setuptools, we're effectively testing different packages than these installed as ensurepip wheels — and so it would be meaningful to test both variants. Thirdly, building from source is going to make patching easier, and at the very least enable user patching.
While at it, I've refreshed the test suite runs in all three regular packages (pip, setuptools and wheel — we need an "ensurepip" wheel for the last because of test suites). And of course, I hit some test failures in testing the versions with bundled dependencies, and I've discovered a random bug in #PyPy.
https://github.com/gentoo/gentoo/pull/42882 (yes, we haven't moved yet)
https://github.com/pypy/pypy/issues/5306

Yes, yes, please fork #PythonRequests and a bunch of other high-profile #Python libraries as its dependencies, and add some more #NIH dependencies to that. Oh, yes, and definitely overwrite the original packages in the process! What could possibly go wrong?
#packaging