[tahoe-lafs-trac-stream] [tahoe-lafs] #1582: setuptools delenda est

tahoe-lafs trac at tahoe-lafs.org
Tue Nov 13 23:32:22 UTC 2012 

#1582: setuptools delenda est
----------------------------+------------------------
     Reporter:  davidsarah  |      Owner:  somebody
         Type:  defect      |     Status:  new
     Priority:  normal      |  Milestone:  undecided
    Component:  packaging   |    Version:  1.9.0b1
   Resolution:              |   Keywords:  setuptools
Launchpad Bug:              |
----------------------------+------------------------
Changes (by zooko):

 * priority:  critical => normal


Old description:

> We need to stop using setuptools, for the following reasons:
>
>  * it frequently downloads, builds, installs, and/or runs the wrong code
>  * it frequently gives incorrect, misleading, or insufficient information
> about what it is doing
>  * it operates in a way that is incompatible with many OS packaging
> practices
>  * its behaviour when downloading dependencies is easily exploitable; I
> don't know of any way to use it securely
>  * its implementation is too complex to understand
>  * we have needed to maintain a fork in order to partially, and with
> limited success, mitigate these problems
>  * the bugs and design flaws that cause the above problems are not
> shallow, and it's unlikely that they're going to be fixed any time soon,
> because it is also poorly maintained.
>
> Dealing with the effects of setuptools' problems on Tahoe-LAFS has
> inconvenienced users on many occasions and wasted a huge amount of core
> developer time. This ticket is to find, or to design and implement, an
> alternative.

New description:

 We need to stop using setuptools, for the following reasons:

  * it frequently downloads, builds, installs, and/or runs the wrong code
  * it frequently gives incorrect, misleading, or insufficient information
 about what it is doing
  * it operates in a way that is incompatible with many OS packaging
 practices
  * its behaviour when downloading dependencies is easily exploitable; I
 don't know of any way to use it securely
  * its implementation is too complex to understand
  * we have needed to maintain a fork in order to partially, and with
 limited success, mitigate these problems
  * the bugs and design flaws that cause the above problems are not
 shallow, and it's unlikely that they're going to be fixed any time soon,
 because it is also poorly maintained.

 Dealing with the effects of setuptools' problems on Tahoe-LAFS has
 inconvenienced users on many occasions and wasted a huge amount of core
 developer time. This ticket is to find, or to design and implement, an
 alternative.

--

Comment:

 I feel like this isn't as ''urgent'' as most bugs marked "Priority:
 Critical". If you disagree, then I apologize for overwriting the priority
 setting you left. Note that as the months and years have gone by, various
 other tools have been developed or improved; tools that we might be able
 to use, such as "Wheel" by Daniel Tolth, and "Paver". There are probably a
 few others that I haven't even heard of. Also pip and virtualenv have been
 ubiquitous and popular.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1582#comment:2>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list