Date: Tue, 28 Jul 2020 19:12:49 -0400 From: "John W. O'Brien" <john@saltant.com> To: koobs@FreeBSD.org, FreeBSD Python <freebsd-python@freebsd.org> Subject: Re: security/py-pycryptodome: Soft dependency on devel/py-cffi Message-ID: <7bfffda3-6673-4867-641c-761cad5b5f57@saltant.com> In-Reply-To: <5d4a1521-0739-2e24-1f7f-1dc7a96ea648@FreeBSD.org> References: <779685b4-2036-b128-da77-31a131d19951@saltant.com> <852935a9-0abb-5284-f06a-f561f80fd0f5@FreeBSD.org> <35334c7b-ad95-6e68-07c8-8c29711940ed@saltant.com> <5d4a1521-0739-2e24-1f7f-1dc7a96ea648@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ Content-Type: multipart/mixed; boundary="vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW" --vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2020/07/27 23:11, Kubilay Kocak wrote: > On 28/07/2020 12:29 pm, John W. O'Brien wrote: >> On 2020/07/27 22:08, Kubilay Kocak wrote: >>> On 28/07/2020 5:43 am, John W. O'Brien wrote: >>>> Greetings FreeBSD Python, >>>> >>>> I have been mulling over a thing and would like the list's perspecti= ve >>>> before I decide whether to take action or not. >>>> >>>> security/py-pycryptodome will use devel/py-cffi if it is available [= 0] >>>> or ctypes otherwise [1]. This makes me just a little bit uneasy >>>> since it >>>> leaves the door open to certain Heisenbugs and red herrings. My >>>> question >>>> is whether it warrants adding devel/py-cffi to RUN_DEPENDS to ensure= >>>> consistency behavior? If not, what about as an OPTION for those who >>>> care >>>> about that sort of thing? >>>> >>>> [0] >>>> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Uti= l/_raw_api.py#L71-L161 >>>> >>>> >>>> [1] >>>> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Uti= l/_raw_api.py#L163-L263 >>>> >>>> >>>> [2] https://en.wikipedia.org/wiki/Heisenbug >>>> >>> >>> The Python Policy section on optional dependencies should cover this:= >>> >>> https://wiki.freebsd.org/Python/PortsPolicy#Optional_Dependencies >>> >>> tldr; >>> >>> For either at build or run-time optional dependencies (where the patt= ern >>> is, check if dep exists, use some code path if true, else use another= >>> code path), add OPTIONS for them. >> >> OK, so something like this? >> >> OPTIONS_DEFINE=3DCFFI >> OPTIONS_DEFAULT=3DCFFI >> >> CFFI_DESC=3DUse devel/py-cffi for low-level API instead of ctypes >> CFFI_RUN_DEPENDS=3D${PYTHON_PKGNAMEPREFIX}cffi>=3D0:devel/py-cffi@${PY= _FLAVOR} >> >=20 > That's fine. If the option is related to performance, id clarify that i= n > the description. >=20 >>> Re heisenbugs/etc, this is where support for running test suites in t= he >>> port are critical, let us know in #freebsd-python on freenode IRC if = you >>> need help getting these hooked up >> >> I've been looking forward to the day when [3] lands. Is there some oth= er >> way to run the test target in a poudriere build? >=20 > Yes, that would be nice. The other way is to testport -i to enter the > jail, at which point you can run `make test` from the port dir Is there any trick to ensuring that the TEST_DEPENDS have already been built, or are already installed in the jail, by that point? >> Of course, running test suites in the build environment wouldn't uncov= er >> bugs that are triggered by something that just happens to show up in t= he >> runtime environment. Enabling the OPTIONal things by default would >> clearly help. >=20 > The same as ports defaulting OPTIONS to enabled to benefit package > users, python's optional dependency policy is to do the same, such that= > the default port options are the ones that are tested. >=20 > Maintainers can and should do more comprehensive testing by testing > various combinations of PTIONS >=20 >> [3] https://github.com/freebsd/poudriere/pull/355 --=20 John W. O'Brien OpenPGP keys: 0x33C4D64B895DBF3B --vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW-- --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEUgT925O8rsvNs2oHIjgwc/pAJtYFAl8gsPFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDUy MDRGRERCOTNCQ0FFQ0JDREIzNkEwNzIyMzgzMDczRkE0MDI2RDYACgkQIjgwc/pA JtbxuwgA0I+TJGhmsqHjQ22VN5icvmYBmbJJqRlRdHPsH6q3IKMc+XtDdJxnM1+j yv5hzcgwCf/4vGEs0n92EXFKwRrPYXGfCZ8kKgrDlFXyUPrfbLINmqBKuHEoghiC rCFd/Dznx8gM4xK7uarFXl511tskg15+guKZUvYkpGYNE43zxuV/KLunqae18/z5 wfn8lYa5GBncuTeAkh/LllhD8VVbua6p0JjCJ7TXvADoHdk08CsZF4DwywSXUWrq fXrsvfvT2KXMu80r9WiV/2+7SS50q2Vz+ZQsz5U7B+wRn3Me+L/YtVHtER2Eivj+ qbasVhL/zf+mGxZKbPAYyWJUglG1VA== =jX6u -----END PGP SIGNATURE----- --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7bfffda3-6673-4867-641c-761cad5b5f57>