Date: Mon, 27 Jul 2020 22:29:40 -0400 From: "John W. O'Brien" <john@saltant.com> To: koobs@FreeBSD.org, FreeBSD Python <freebsd-python@freebsd.org> Subject: Re: security/py-pycryptodome: Soft dependency on devel/py-cffi Message-ID: <35334c7b-ad95-6e68-07c8-8c29711940ed@saltant.com> In-Reply-To: <852935a9-0abb-5284-f06a-f561f80fd0f5@FreeBSD.org> References: <779685b4-2036-b128-da77-31a131d19951@saltant.com> <852935a9-0abb-5284-f06a-f561f80fd0f5@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --McVgpVlBVy8L4mq0VOonfEQIFRsheLBPx Content-Type: multipart/mixed; boundary="CEQ06atzpe6fXHaWsnJrGpiTiGmMDohLx" --CEQ06atzpe6fXHaWsnJrGpiTiGmMDohLx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2020/07/27 22:08, Kubilay Kocak wrote: > On 28/07/2020 5:43 am, John W. O'Brien wrote: >> Greetings FreeBSD Python, >> >> I have been mulling over a thing and would like the list's perspective= >> before I decide whether to take action or not. >> >> security/py-pycryptodome will use devel/py-cffi if it is available [0]= >> or ctypes otherwise [1]. This makes me just a little bit uneasy since = it >> leaves the door open to certain Heisenbugs and red herrings. My questi= on >> is whether it warrants adding devel/py-cffi to RUN_DEPENDS to ensure >> consistency behavior? If not, what about as an OPTION for those who ca= re >> about that sort of thing? >> >> [0] >> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Util/= _raw_api.py#L71-L161 >> >> [1] >> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Util/= _raw_api.py#L163-L263 >> >> [2] https://en.wikipedia.org/wiki/Heisenbug >> >=20 > The Python Policy section on optional dependencies should cover this: >=20 > https://wiki.freebsd.org/Python/PortsPolicy#Optional_Dependencies >=20 > tldr; >=20 > For either at build or run-time optional dependencies (where the patter= n > is, check if dep exists, use some code path if true, else use another > code path), add OPTIONS for them. OK, so something like this? OPTIONS_DEFINE=3DCFFI OPTIONS_DEFAULT=3DCFFI CFFI_DESC=3DUse devel/py-cffi for low-level API instead of ctypes CFFI_RUN_DEPENDS=3D${PYTHON_PKGNAMEPREFIX}cffi>=3D0:devel/py-cffi@${PY_FL= AVOR} > Re heisenbugs/etc, this is where support for running test suites in the= > port are critical, let us know in #freebsd-python on freenode IRC if yo= u > need help getting these hooked up I've been looking forward to the day when [3] lands. Is there some other way to run the test target in a poudriere build? Of course, running test suites in the build environment wouldn't uncover bugs that are triggered by something that just happens to show up in the runtime environment. Enabling the OPTIONal things by default would clearly help. [3] https://github.com/freebsd/poudriere/pull/355 --=20 John W. O'Brien OpenPGP keys: 0x33C4D64B895DBF3B --CEQ06atzpe6fXHaWsnJrGpiTiGmMDohLx-- --McVgpVlBVy8L4mq0VOonfEQIFRsheLBPx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEUgT925O8rsvNs2oHIjgwc/pAJtYFAl8fjZRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDUy MDRGRERCOTNCQ0FFQ0JDREIzNkEwNzIyMzgzMDczRkE0MDI2RDYACgkQIjgwc/pA JtZmmQf+PNuvnU1vBlFeNoj83z1Kppv78GD/5LYUI59SlaF4Gy3+tjnhllXsYU+y Lk9l50HZE4shJSxAZwifZzrJQtuMBQ6wK61LyDu04O1A4BP8uehlvzoPCTO1dVeo CQT4VJcdtwNvHJOr6P3JXg1iECFjEJVb/I8OqZgFh1EXS31uCuFWlh0PFe1naEE+ /Fu9aaV1WzxT1XcpOoVHO1Gvuy8+rYgRL6PwURI2zKfranA3AnWRuxnfEHJEEyHh SZybie1sIlMWKFZuaj+TJ9BLi71VB4wOC3frw2MjhrO3qjEacDd3NZRPvpZhyZHf uAxu7R2WQuj6pbtkVx/Ges4XxpTVuw== =0veF -----END PGP SIGNATURE----- --McVgpVlBVy8L4mq0VOonfEQIFRsheLBPx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35334c7b-ad95-6e68-07c8-8c29711940ed>