[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies
Tahoe-LAFS
trac at tahoe-lafs.org
Tue Apr 15 01:47:03 UTC 2014
#2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies
-------------------------+-------------------------------------------------
Reporter: daira | Owner: daira
Type: defect | Status: assigned
Priority: major | Milestone: 1.11.0
Component: | Version: 1.10.0
packaging | Keywords: packaging setuptools pyopenssl
Resolution: | cryptography six cffi pycparser
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by daira):
Replying to [comment:27 gdt]:
> I'm not entirely following the pinning argument. tahoe is building ok
in pkgsrc with 0.14. So if you require 0.13, the package will fail and no
longer be available, and I'll just mark it BROKEN. What's wrong with a
situation where pyOpenSSL 0.14 is properly installed, with all its
dependencies?
That's a good question. The issue is that the Python package-distribution
metadata conflates the question "what dependent package versions are
acceptable to meet this package's requirement?", with the question "what
dependent package versions should I attempt to fetch and build in order to
meet this package's requirement?" That's a problem in situations where the
fetch-and-build process is unreliable.
We ''could'' hack around this conflation by doing the following:
* From Tahoe's `setup.py`, attempt `from OpenSSL import SSL`.
* If that succeeds and passes version sanity checks (including checks on
the linked OpenSSL version for #2215), then use the requirement `pyOpenSSL
== $WHATEVER_VERSION_WAS_IMPORTED`.
* If that does not succeed, then use the requirement `pyOpenSSL == 0.13`
(or `== 0.13.1` if we decide to do the OpenSSL version check that way).
That would implement the following:
> If the new code handles that gracefully, there's no issue - if all
you're talking about is forcing a choice of 0.13 when the build of
pyOpenSSL is triggered from within tahoe-lafs that sounds fine.
However, attempting to import dependent packages from `setup.py` has
caused problems in the past and I'm not entirely sure it's a good idea. If
we do it, we should have some exit strategy to stop doing it in a future
Tahoe-LAFS version.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2193#comment:28>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list