Re: pkglint suggestion: check pyproject.toml against pkgsrc-expressed dependencies

[Roland Illig <roland.illig%gmx.de@localhost>]

Am 09.05.2026 um 19:46 schrieb Greg Troxel:
> Recently I came across a py-foo where it depends on py-bar (does import)
> but where bar wasn't in the pyproject.toml.  Also, I frequently find
> that pkgsrc (my packages anyway) are missing the expression of deps that
> are in pyproject.toml.
> 
> I know url2pkg has some ability to examine pyproject.toml and create
> DEPENDS lines.

url2pkg doesn't examine pyproject.toml directly. It only adds a "TODO"
marker when it sees that file in the extracted package.

> It would be Really Cool if pkglint:
> 
>   parsed pyproject.toml and obtained dependency expressions for build
>   tools, for runtime deps, and for test
> 
>   parsed Makefile for those TOOL_DEPENDS, DEPENDS, and TEST_DEPENDS.
> 
>   compared them, and created as output somehow the lines that are
>   missing or replacements for those that are wrong

In my mind, pkglint is the wrong tool for this check, as pkglint only
looks at the files that are committed directly to the pkgsrc repository,
and pyproject.toml is not among these files.

The only thing that pkglint does with the distfiles (if they are at the
default location ${PKGSRCDIR}/distfiles) is to cross-check the checksums
against those recorded in the distinfo files. No part in pkglint
extracts the distfiles to see what files are inside.

> I have no idea how hard this is, but I'm not letting that keep me from
> suggesting it!

I'd prefer a specialized tool that is run during package builds, since
at that point, pyproject.toml is already extracted and possibly patched,
just in case.

In a nutshell, not all checks have to be done by pkglint, there's also
mk/check for runtime checks.

Roland