[repo-coord] Re: Packaging Python Pyvault Style (was Re: python 2.3
for RH7.3)
Axel Thimm
Axel.Thimm at atrpms.net
Mon Dec 20 19:38:50 CET 2004
On Mon, Dec 20, 2004 at 11:53:12PM +0800, Jeff Pitman wrote:
> On Monday 20 December 2004 19:13, Axel Thimm wrote:
> > > However, there is a weakness in RPM where it will automagically
> > > Obsoletes previous versions of Python when executing an Upgrade.
> >
> > Which obsoletes are you thinking of? Are any really needed (other
> > than replacing the vendor python with the pythonXX packages)?
>
> Ahhh! The *invisible* obsoletes, of course!!
>
> http://distro2.conectiva.com.br/pipermail/apt-rpm/2004-August/002513.html
> http://lists.atrpms.net/pipermail/repo-coord/2004-August/000357.html
>
> I mean, I like your idea. It maps closer to Debian Python Policy, etc.
> But, we cannot do it. I've tried with sweat and blood. It only brings
> frustration when the Package itself (python) automatically removes
> *any* and *all* packages that Provides: python = x.y.z, even if they're
> named foobaz2.2, when python=2.3.4 is upgraded ... *boom*.
Yes, I see, but is there need to provide "python" in all packages,
especially the pythonXX ones? Most packages that explicitly require
python do so with ">=".
> > That's perhaps unavoidable. If a pyvault user wants to have
> > /usr/bin/python point to python 2.4 for his own pleasure and
> > system-config-* and friends break with it, the you either need to
> > educate users to use /usr/bin/python2.4 or [...]
>
> I'd rather choose between educating users via FAQ or build a "python"
> wrapper that flipped between versions. I'd rather not repackage the
> whole nine yards.
OK, then you have no issues at all with obsoletes, as the users only
get to see pythonXX packages with no such provides, and keep their
vendor python rpm (which does the provides/obsoletes game with his
ancestors only).
Only python developers need to take care to have proper python-devels
packages that pull in the proper pythonXX packages.
> > > * Do we really %ghost *.pyo? That's what I'm doing now as an
> > > experiment discussed over at fedora.us. I'm not sure if Extras
> > > will have this policy or not.
> > > * Need to re-bytecompile applications for the latest version of
> > > python. (see http://www.fifi.org/doc/mailman/README.Debian)
> >
> > Isn't this only an issue when installing into non-versioned python
> > dirs, which one should not do? :)
>
> Well, if one does not package .pyo, they'll possibly get created if a
> root user runs an application with -O as the flag. Whether executed
> from the commandline or whether #!/usr/bin/python -O. So, in order for
> a clean exit on a particular python, you'd want to make sure everything
> is gutted by using %ghost. The reason they're not there is because the
> intrinsic value of their existence versus the space consumption doesn't
> match up. YMMV--just a blind experiment, I guess.
>
> This piece has a good summary:
> https://www.redhat.com/archives/fedora-devel-list/2004-August/msg00249.html
Oh, now I see. Definitely no %ghosting would be my suggestion from a
security and setup POV. Any package assuming it may write arbitrary
non-fingerprinted code into /usr/lib deserves to be shot on sight.
The package either needs bytecompilation/optimization, which has to be
done at package creation time, or does not. Consider read-only mounted
/usr or a tripwire checking /usr.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.atrpms.net/pipermail/repo-coord/attachments/20041220/a5ba4313/attachment.bin
More information about the repo-coord
mailing list