Exclude test files from install about tornado HOT 6 CLOSED

Hrm, I see that this has been reported before #3107 and #3104. In my case I'm not using tornado directly -- rather it's a transitive dependency via other packages I'm using. Therefore having to modify my build process to account for the nuances of a transitive dependency really isn't something I'd want to do.

from tornado.

Similarly, modifying my build process to account for the nuances of unknown tools used by a transitive dependent isn't really something I'd want to do. Work with the vendor of your security scanner to prevent this class of false positive.

If there's some way to mark this key as testing-only and silence the warning I'd probably do so, but I don't want to remove the test files from the distribution because I find it useful to have them there and removing them would not actually improve security.

from tornado.

Thanks for the reply. I (personally) agree with you on security and while I can kinda see why you might want to install the test files locally for running the tests, it's much less clear to me that including them in people's importable modules is the right thing for any package to do. (What would happen if all packages did this? What are the impacts on tooling which auto-imports packages at runtime? What happens if a test runner for a consumer project auto-imports "test*" packages and tries to run tornado tests in their environment?)

I'd urge you to reconsider the inclusion by default of test files within the installed modules.

from tornado.

What would happen if all packages did this?

Virtualenvs would be a little bit bigger?

What are the impacts on tooling which auto-imports packages at runtime? What happens if a test runner for a consumer project auto-imports "test*" packages and tries to run tornado tests in their environment?

That's risky in Python in any case since importing a module can execute arbitrary code. But even setting that possibility aside, trying to import every bit of code you can find is just going to waste a lot of cpu time compiling everything. You're going to want your tools to be more selective about what code they pull in just for efficiency's sake.

from tornado.

What would happen if all packages did this?

Virtualenvs would be a little bit bigger?

Virtualenvs would potentially be a lot bigger after test data is accounted for.

A lot of packages also have their tests at /tests within their source tree, meaning that there's a lot of potential for name collisions and files being left behind when packages are uninstalled. I realise tornado doesn't do this, however I've seen (and helped fix) a lot of packages which do.

from tornado.

Oh I completely agree that no one should install tests outside of their namespace. And packages that have large amounts of data shouldn't ship it in their package. I'm not advocating for all packages to install their tests; I'm not even sure if I'd do it this way myself in future projects. But this is the way I've done it in this project for many years and I'd need a very good reason to go through the effort of changing.

from tornado.