[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies

Tahoe-LAFS trac at tahoe-lafs.org
Sat Mar 29 18:43:40 UTC 2014 

#2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies
-------------------------+-------------------------------------------------
     Reporter:  daira    |      Owner:
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  undecided
    Component:           |    Version:  1.10.0
  packaging              |   Keywords:  packaging setuptools pyopenssl
   Resolution:           |  cryptography six cffi pycparser
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by gdt):

 In a packaging environment, having a pinned dependency on 0.13 is
 really not ok, because upstream py-OpenSSL doesn't seem to provide for
 parallel-installable multiple versions.   So I think tahoe has to cope
 with whatever upstream releases, or stop using py-OpenSSL.  But
 py-twisted uses pyOpenSSL, so it's not clear that what tahoe does
 matters in the grand scheme of things.

 longer version after I retyped  when the above was lost to spam filtering:

 Regarding pinnning the dependency to 0.13, I don't think that's a
 resaonable approach.  First, I think that any software that is broadly
 successful is used almost entirely from prebuilt packages in various
 packaging systems (or for us odd pkgsrc types, automatically built from
 source using the packaging system, which amounts to the same thing).

 My impression is that python generally does not support installing
 multiple versions of a package, e.g py-OpenSSL 0.13.1 and 0.14 both.
 (While pkgsrc has made python27 and python33 parallel installable, and
 most libraries can have both at once, I haven't seen this extend to
 individual libraries.)  So a packaging system has to just pick a
 version.  Given that upstreams do not do security maintenance on
 obsolete versions, the only reasonable choice is the latest, except that
 taking a few months to move to a new release is also reasonable.  So
 packaging systems soon (within a year) will no longer offer py-OpenSSL
 0.13.1.

 Twisted also requires py-OpenSSL, so I think fighting this implies
 pulling py-Twisted and py-OpenSSL into tahoe sources.  That seems crazy
 in terms of maintenance burden.

 Overall, my impresssion is that we're seeing a big hiccup because of a
 poorly-documented unexpected rototill, and that once packaging systems
 catch up with the new dependencies, things will be ok as far as building
 tahoe in a packaging system context (or installing deps from packaging
 system and then building tahoe itself from source).

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2193#comment:9>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list