[tahoe-lafs-trac-stream] [tahoe-lafs] #1582: setuptools delenda est
tahoe-lafs
trac at tahoe-lafs.org
Mon Jul 8 23:50:04 UTC 2013
#1582: setuptools delenda est
----------------------------+------------------------
Reporter: davidsarah | Owner: somebody
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: packaging | Version: 1.9.0b1
Resolution: | Keywords: setuptools
Launchpad Bug: |
----------------------------+------------------------
Old description:
> We need to stop using setuptools, for the following reasons:
>
> * it frequently downloads, builds, installs, and/or runs the wrong code
> * it frequently gives incorrect, misleading, or insufficient information
> about what it is doing
> * it operates in a way that is incompatible with many OS packaging
> practices
> * its behaviour when downloading dependencies is easily exploitable; I
> don't know of any way to use it securely
> * its implementation is too complex to understand
> * we have needed to maintain a fork in order to partially, and with
> limited success, mitigate these problems
> * the bugs and design flaws that cause the above problems are not
> shallow, and it's unlikely that they're going to be fixed any time soon,
> because it is also poorly maintained.
>
> Dealing with the effects of setuptools' problems on Tahoe-LAFS has
> inconvenienced users on many occasions and wasted a huge amount of core
> developer time. This ticket is to find, or to design and implement, an
> alternative.
New description:
We need to stop using setuptools, for the following reasons:
* it frequently downloads, builds, installs, and/or runs the wrong code
* it frequently gives incorrect, misleading, or insufficient information
about what it is doing
* it operates in a way that is incompatible with many OS packaging
practices
* its behaviour when downloading dependencies is easily exploitable; I
don't know of any way to use it securely
* its implementation is too complex to understand
* we have needed to maintain a fork in order to partially, and with
limited success, mitigate these problems
* the bugs and design flaws that cause the above problems are not
shallow, and it's unlikely that they're going to be fixed any time soon,
because it is also poorly maintained.
Dealing with the effects of setuptools' problems on Tahoe-LAFS has
inconvenienced users on many occasions and wasted a huge amount of core
developer time. This ticket is to find, or to design and implement, an
alternative.
--
Comment (by daira):
[https://pypi.python.org/pypi/peep peep] is another tool that intends to
address this problem. I couldn't get it to work on Tahoe; it downloaded
the required sdists and then blew up with an exception from pip, which it
depends on:
{{{
$ cp src/allmydata_tahoe.egg-info/requires.txt requirements.txt
$ peep install -r requirements.txt
[...]
File "/usr/local/lib/python2.7/dist-packages/peep-0.2.1-py2.7.egg/EGG-
INFO/scripts/peep", line 143, in hashes_of_requirements
for req in reqs: # InstallRequirements
File "/usr/lib/python2.7/dist-packages/pip/req.py", line 1240, in
parse_requirements
skip_regex = options.skip_requirements_regex
AttributeError: 'NoneType' object has no attribute
'skip_requirements_regex'
}}}
If I understand correctly, pip by itself does not help you at all in
verifying the integrity of dependencies, only of the package you're
directly installing.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1582#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list