The perfect setup? Not setup.py! Building packages the right way

Everyone loves package management! Python's packaging systems have continued to evolve over the years. Specifications such as environment markers, custom backends, and static build configurations have been introduced. Additionally new package managers like Poetry and Hatch have emerged.

Yet despite the updates, many projects are still living in the 2010s - using a setup.py file to specify the build configuration for their package. setup.py is notoriously difficult to learn and a common vector for launching attacks during install.

This talk will discuss why it's time to move away from using setup.py and how to do it.

We will see how setup.py is used and abused - from downloading huge datasets (cough AI cough), modifying the system, and most critically how malicious payloads can be included to execute when setup.py is evaluated. Arbitrary code in setup.py makes security analysis harder and creates more work for PyPI administrators.

The talk will detail the new (as of 7 years ago) methods of describing build configurations in pyproject.toml and setup.cfg, giving examples of how to use these methods. The examples will include how to achieve what once required dynamic code to include data like readme contents, version numbers and requirements. The limits of pyproject.toml and setup.cfg will also be covered.

Finally, the talk will outline how moving away from setup.py improves the Python packaging universe, how it makes life easier for ensuring Python security, and what can be done to drive adoption of pyproject.toml.