It seems that the person who did this acted unilaterally, with no code review, and ignored (then disabled) broken tests while landing this (https://github.com/pypa/setuptools/pull/4909). One should not be too harsh - he seems to be a student. One perhaps should be more harsh on the commerical entity sponsoring the project, though - setuptools is sponsored by Sonar via "Tidelift". According to https://tidelift.com/subscription/pkg/pypi-setuptools:> The maintainers of setuptools get paid by Tidelift to
> implement industry-leading secure software development
> practices and document the practices they follow.
Well, that really doesn't seem so in this case now, does it?
No comments yet.