[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies
Tahoe-LAFS
trac at tahoe-lafs.org
Mon Mar 24 21:03:59 UTC 2014
#2193: pyOpenSSL 0.14 pulls in a bunch of new dependencies
-------------------------+-------------------------------------------------
Reporter: daira | Owner:
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: | Version: 1.10.0
packaging | Keywords: packaging setuptools pyopenssl
Resolution: | cryptography six cffi pycparser
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by glyph):
Replying to [comment:6 zooko]:
> dstufft asked on IRC why this is such a big deal to us
If you are telling end-users and not developers to install a tool with a
development toolchain (and setuptools is definitely a development
toolchain) then perhaps the problem is with the instructions? Your
dependencies' dependencies should not be a user-visible change.
Have you considered creating distributions for end-users that bundle
everything together into a single file, bundle, or linux distro package,
so that dependency issues like this aren't exposed? Or perhaps at least
updating quickstart.rst to use contemporary tools, i.e. pip and
virtualenv, rather than ez_setup?
These dependencies can be automatically resolved by pip. There are
already binary wheels for Windows so those folks don't need a C compiler.
And in the coming months my understanding is that this will be extended to
OS X as well.
> I intend to pin our dependency on pyOpenSSL
By pinning this dependency you're opting out of all potential future
security updates for pyOpenSSL which seems like a bad idea, if you depend
on it at all. And the move to Cryptography and thereby cffi is a ''huge''
upgrade to the simplicity and security of the basic implementation
strategy of pyOpenSSL itself.
> (We don't really rely on pyOpenSSL for much anyway, so if we could in
fact *remove* the dependency on pyOpenSSL entirely, that would be nice.)
Removing the dependency might be nice. The OpenSSL API is rightly
universally reviled. Although I would suggest that Cryptography is a
promising new project to provide backend agility for cryptographic
primitives and you should be depending upon it directly at some point in
the future :-).
It's quite likely that Twisted will acquire a hard dependency on
Cryptography or some other cffi-based project in the future, so this is
probably worth working out now.
Replying to replying to replying to replying to replying to replying to
replying to Zancas Zancas Zancas Zancas daira daira daira daira zooko
zooko zooko zooko please get my score low enough to post least authority
least authority linux ubuntu packaging egg_info twisted txAWS zfec
zope.interface allmydata simplejson pyasn1 sqlite3 0.6c16dev3 Linux-
Ubuntu_12.04-i686-32bit_ELF github trac Nevow /usr/lib/python2.7/lib-
dynload /usr/local/bin:
/usr/local/lib/python2.7/dist-packages/pip-1.5.4-py2.7.egg:
/usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg:
/usr/local/lib/python2.7/dist-packages/setuptools-2.2-py2.7.egg:
/usr/lib/python2.7:
/usr/lib/python2.7/plat-linux2:
/usr/lib/python2.7/lib-tk:
/usr/lib/python2.7/lib-old:
/usr/lib/python2.7/lib-dynload:
/usr/local/lib/python2.7/dist-packages:
/usr/lib/python2.7/dist-packages
zbase32 pkg_resources S4 ignorable immutable peer selection PYTHONPATH
folders FHS leasedb shares bytes
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2193#comment:7>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list