← Return to program

The perfect setup? Not setup.py! Building packages the right way

Sunday 11:55 AM–12:25 PM in Door 12 / Goldfields Theatre

Everyone loves package management! Python's packaging systems have continued to evolve over the years. Specifications such as environment markers, custom backends, and static build configurations have been introduced. Additionally new package managers like Poetry and Hatch have emerged.

Yet despite the updates, many projects are still living in the 2010s - using a setup.py file to specify the build configuration for their package. setup.py is notoriously difficult to learn and a common vector for launching attacks during install.

This talk will discuss why it's time to move away from using setup.py and how to do it.

We will see how setup.py is used and abused - from downloading huge datasets (cough AI cough), modifying the system, and most critically how malicious payloads can be included to execute when setup.py is evaluated. Arbitrary code in setup.py makes security analysis harder and creates more work for PyPI administrators.

The talk will detail the new (as of 7 years ago) methods for describing build configurations in pyproject.toml, giving examples of how to use them. The examples will include how to achieve what once required dynamic code to include data like readme contents, version numbers and requirements. The limits of pyproject.toml will also be covered.

Finally, the talk will outline how moving away from setup.py improves the Python packaging universe, how it makes life easier for ensuring Python security, and what can be done to drive adoption of pyproject.toml.

Caleb Brown

Caleb is a Senior Software Engineer working for Google's Open Source Security Team. At Google he contributes to deps.dev and maintains a repository of malicious package reports for open source packages. Caleb has been using Python for over 15 years, starting with build Django sites at publishing company.