setup.py has one significant problem:

• it can not be parsed securely

This leads to a lot of problems - it can not be securely analysed, reading 100k+ packages from PyPI requires too much overhead, source packages can not be automatically converted to native system formats like Debian and Fedora etc.

So, are there any alternatives for packaging Python source that use static data format (not setup.py) for describing and wrapping their contents? So that a source package is just a .zip file of source checkout, which does not require magic with build steps.

Back when this question was asked the answer was no. Several PEPs existed to try and standardize metadata (and by extension most information required for installing). These had follow-ups after the question was asked, which has since evolved into solutions like pyproject.toml and setup.cfg which nowadays allow setup.py-less installation of your packages which is even adopted and encouraged by tools like PyPA's Flit.

That said, packages not leveraging these possibilities will still exist, and if they have a setup.py you can't control, they'll be running arbitrary code nonetheless and you'll have to decide if you trust the authors and the community for reporting malicious packages.

Python wheels are the answer to the problems you describe: http://pythonwheels.com/

However, at the time of writing many projects do not supply wheels (but you can build them yourself.)