From owner-freebsd-python@freebsd.org Tue Jul 28 23:12:52 2020 Return-Path: Delivered-To: freebsd-python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E3B8B376FDE for ; Tue, 28 Jul 2020 23:12:52 +0000 (UTC) (envelope-from john@saltant.com) Received: from twaddle.saltant.net (twaddle.saltant.net [IPv6:2001:470:8d6f:1001::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BGXX26wYdz421g; Tue, 28 Jul 2020 23:12:50 +0000 (UTC) (envelope-from john@saltant.com) Received: from statler.priv.n.saltant.net (unknown [IPv6:2001:470:8d6f:0:4ddf:fb4e:702a:990f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by twaddle.saltant.net (Postfix) with ESMTPSA id C6445FB85; Tue, 28 Jul 2020 19:12:49 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=saltant.com; s=twaddle; t=1595977969; bh=Qmy7FASiAc/PlUsFQ2h++3V3LA3n/hhwjyL6BVFPBbY=; h=Subject:To:References:From:Date:In-Reply-To; b=EUpp/toULatRRzxfqrMSt5xtolFl7V3vjG/TjpPB0aJWmBSZou9H3FcTMKTYMOPSf /s7e3wYsTrTB6UgvlvxjPy5CO7XkqqDbtdWpVIwp7lUl8rTN8BAiOPHo6nwGeN9AJZ NFi7ZjPn2dz3hmPkmnjOkmkS/HrZ5Y93N1kQDdR+ZRYO2QBRF1/jrsCYfLPql9+5MU 7zIo5UzTpBx9JeiqugpzbDKZjzbmbfaK4KD4ctUza2EgRym4R+6QT/hViRkdYNqQPm OCmZQpr03KACU4Cx6zYutNNkGVmBlfzR4GDGndxVxbu4rcgc8IKPe82CGpo2N5rDny GTQf2bWAnMmgQ== Subject: Re: security/py-pycryptodome: Soft dependency on devel/py-cffi To: koobs@FreeBSD.org, FreeBSD Python References: <779685b4-2036-b128-da77-31a131d19951@saltant.com> <852935a9-0abb-5284-f06a-f561f80fd0f5@FreeBSD.org> <35334c7b-ad95-6e68-07c8-8c29711940ed@saltant.com> <5d4a1521-0739-2e24-1f7f-1dc7a96ea648@FreeBSD.org> From: "John W. O'Brien" Autocrypt: addr=john@saltant.com; prefer-encrypt=mutual; keydata= mQINBFpcMG0BEACeAEQ0ZTUEH+6B8XIBid2H8g1yY+niHxVphqz8JwnQtYX+bS+Kl3vr783F HH81DEbfPtYgHY53NF9FjSzCyj13lXVnEGQOdxXzZVKsN1nyuXCN2hDOFH7Yc5yQ8h85T4Hv sqPIGIXOztu4MX14iUAcTgLhfibNQBeKDeNI+BBeaE9lPuNVeiM+xsI4JYcjmDbjFzAHRpBo ull0koUFh6RZAKE7u17yLej1pTIQQVjQpWdK37BAq4hdkLwjGDY8mDGo3ZwGdNibxIAxv/wi KU6u2DfUg8+kLHIhOqk/+kFQ/uK5YA1azsyD5eIbNAs4W7LglA6SkiGBglTwkP0VCrkPdD14 6sx3U7uFgexDWbVuhLIkcPQ0SRmnjgUKHgk7px/jMvAPKSKoL0JQNdP/+pnO9CDLGmoHx9gE 5kVr5dQK8c/WauEfimAdE9qLuN6vb0Iei73q3e3OOHAUusR5wC5SwXt4iilbaK4r04NKXyfb SB3+qWST07F9cmMscfEStSBhpez3awB+1jz8gr40tkEGsFZGvD2KKAgZdKpoxv6IrZepclWz HpqHF01SRFORYMsd1d83XlEu/S1/Z9YJ87RoCdZuYCkjnoRPtpTi9d+JD/u3ZiQFwLUz/Ne3 VqiGKvY66EGcO3tvANMg6GWD9sqlnBDp9Lls0ChEY3dgDYd6DQARAQABtCJKb2huIFcuIE8n QnJpZW4gPGpvaG5Ac2FsdGFudC5jb20+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB Ah4BAheAFiEENPkbBr3zmPAVSH2HM8TWS4ldvzsFAlpcMTMFCQX2qcYACgkQM8TWS4ldvztT xQ//eHb1mgd40Z0fN2GnJti6/9uJ771IO6slFQ02GZcXZI+FIQo8Yd1dHe0e0Codu78qvJNr ggUtqdxH6SVp7K1AWHeLH5S0PF6iG5B+YUux080wEv/Mr8PPMgAD8gS3wiPDDgB/kUXO52bn DC3Fc0dUrFE/JAOByVEEDL5nLF6SQNpAtIUnaAIIuhKxi0d40LMcLUwuJ6jExynw8Iu7OVtu Y1PRAH5ESt6wYZq8ro8ukh4rMOxiWtT1yNEgHgnq3N4jKErVo87YJijHSSj80IKxUiKb/T6K tGTEBTKiSUV3OFj0ZoPxcbUmhIg2sBCNHaUCiI0KabqN1NyK2glKtcK6NpWy3JIHvtr3+VL1 /tvQTwlVUIacmsuxkGzm5vJPs/i2RtwsJXEXPmIRNgJ1EwZgpg5VqqEUDlmSyRLb48QcDrdv utKLA1MKLib1fD+0XmxZTbCMlFMlvJjAoBlVq60mvB/Jnv1TTnZ2eN6DKMWoxHKmPICh5F1q esmT/aJRIUoCiAgcChi4Ol4XmW3dM7ypjKCGHzyr6emCky5pjqSQZyFzg0RN5UjUQBISAGmJ E8hCFZIy7tf8meqIDbtkONh+JShN6u3t02JrnzSOQjZCh5WQW9Pnu7unJlIsYB10aZ6rvuAK YjghT8QLG8QVgJj/U9oeVG1Ag60fmLZdOFjRGmm5AQ0EXiI+pwEIAN/gCLz555dMl/I+kul4 ptLPm5oe0Yxp6pMI81+p8qJY6HoDlkHN/eB88FvaX1eQR6tTJu9kEHc0nnqjtj7M9kMm6ujb hXjTDY+EFck9V5XDV9eaHUvsDujq/srxHtpFtsWZRUiseTrtcKBt5yfrDlIvNPW/F1rtuHuH 7gIvB8rgBWwyO0v8/ZPfCDwV6zqCZ6TWT9hGzvODdSZN6gQipIrLvz2RFhtJ4+a8QCCBJpzl nWKKZmfmTiPElDM/POIwyO4pn2Hr0aSV4q1wShtwYhPpF3BvwTB59BqmyoW82oYk6ymokooU h1gsCs6D9hzX/jFCkbX0ywwW2jDEjYj04fMAEQEAAYkDcgQYAQoAJhYhBDT5Gwa985jwFUh9 hzPE1kuJXb87BQJeIj6nAhsCBQkFo5qAAUAJEDPE1kuJXb87wHQgBBkBCgAdFiEEUgT925O8 rsvNs2oHIjgwc/pAJtYFAl4iPqcACgkQIjgwc/pAJtYjKggAndvnwqRinsemX5KhK9MOdgNM SqhWHqNuuh3YaL7NK1lwMCubXgBag4LcOXZQ2m09bgtoXcbPh5g+ZPeqPGF28vaw6mU79dzU 2xkVC+456lBlU5VvmSNGXCGEVoRuMSQ4sT/GVvq2CJd4wUXxyaeqoqDXQGU1rspKsRroA0tJ RrCJOO1fs0hC7Ft4xx3nOwuxpE2Hp94g1zFA/MQs6SXjRiKJ7hOAPLIDIc79ZbPTc1YFxThd L1G27lq2ZtIuYuxiqdrhfTTe5cKFkm84FKSz+lhBNb3JiVb0ulnR2Bfi0lOxJ91b3dMLtuiu Du7wqHZax5FVQVJFIQpVvSJ+FZSnn91hD/91TeM+aR0zFq0BnkDBkt5X/tMuRm0IzkOLxjY4 Bi4y7e2N4CX1XklPybVW3QieiBRlfN2D7OhhHeXZk9rXzpCN/CC0aq4C/hfzLdOCcz7KaAFP dWZCH7xKPQUcIZyjHG7hx+M/5VKg86tiVln6gxEWNJp9+H+V2k04DH9b3UQ+aCXerbmIn7f8 dfHYOjPSXnmfso8rNSH8AOH5qrJp7VTTuxEYmt5yUc34GsVRUrj7wg/LHX3AMM5ZtAbHorYB lRZruleEzrJXbvb5/WbB4s8rHeA9IA7tXKNz83p7L8MaJ2LaJS/DeiwgrMpMUcbprgv9ejDw RO7P/jmvvRcnOADhfQBUmK1C+N6pzPX5gMUjYInH9T1JeIbh0kHrviAvHW8FYIcZSt3jKiM6 ZQNEuyv1wjpYULDfz/P1rHl1wq3RqYyO+o5rrIhyq4DDsNvvFAvifwFFoUv/eWOyhhd7zewv 0hVHcKIxHIPy7F+QSG1pOpedNEHKJBe7kxFuKA0/3r0I1fA0qJaISCtjRytv3mJVdE8SzVj1 J3B76AB+VChcr+VDLC4kQYtclMe50eoLCmwB1Y+c6QItIu6u8G9LNtTaTDorhtKHU+XM5/k6 wgmrC699KBxvM+oNbOfz3KDsZ4owIpBsBvMax8EW/ws78fnsHCi7tOdqrGl0xUG9+z7XI7kC DQReIj7QARAAyNbQ/m2GgioxKzPr73JEWHFMGUJbCka5lPtoO82qpb/NIRr6Ii+7e5TljOek hdueLNyiDJBxc9BK5v1BC/0aI+5TWrlB5oZGRZl1Qa3a8x9FH8Rya4fD0dfmQGarmu91vfgb MrBQrYGfwsZiS8MiT/ytJ1NzjHBXm1TMczZYYL7i5JSgqTNDqamBJODVa3lipKP9FY9XX/T3 cQEi7B1Om+8xgm87PtqsXr7fFyb2l84fnUv3g5Glznpfqk5Poshm5leJm/SVKkZZKfyo1P5+ BKi2zGAsLXgFbl6jiEnRIjyawpMuKaFclmBH8riuQGNK0wEeyqo9WlUY+WU3HUyE/fQ3h5Tk 80q+tT6wj7JQ8ywt4EAnIrJN/ik0H2ShthzAzWzAnZ5evQqXfhNIGD0LLJ1TglGyOYuqrSny g81lfjvhSLJqCCwILEBe1n3gITwTnpYMJu6DNk06xJJ9B4Oz8GLGTUWZcPafWAbzk5GZTf2N cSpxOqQV8/u2goMULyzXCzGrtB6YfDM/adZOAvpWad2qTgcpxpHALWY6T9aiKDIiURDJf04P 8X8xfzcc8ZFtGH+PwLDXMdeviMaPzfRTfvwn+LYuHY+liu0dlZa40SUx/9ugECSFcvPgTOEB SI/FoR2PwgcOauvY6AJ1HONsir8spMgcM5JgBqfIbcdsE4kAEQEAAYkCPAQYAQoAJhYhBDT5 Gwa985jwFUh9hzPE1kuJXb87BQJeIj7QAhsMBQkFo5qAAAoJEDPE1kuJXb87j9AP/0jvvPR0 8yAtQgzSb3A99LcsY3Zl+QGNZYkmdb0/C8feRMw9CUb6a/6liaj7CCKwadSULiVWSuMP3zT3 5Vit+2W/5GuO6C4fmOyeXquCi8qamhTG+orZYBw0dy3s1MhrfRwbQkDjWEoG2BbztPbCY5ZP VYGZU+sIwQhEyco+ddv+RL8o7gFDf58nNOgdi03Plsv2N+JpPaU6uoZy4hfzMY/PMhlWaO32 qM0HLyOuojB+RDPZ7oKQbwyavH6YHPcF/aix0DArvCh7nwW0CR/B5YgwD7FtTgE9ZcTof7am IR0ZVQ40kCyanLXp/qHiY9mR0g8Ggy9/rGA5fUsu1/ugyvJPBU/usmQfz3TcTNiuefVrh+Xh cuTc5dDP0d2MHfnKPxnj9F9+9sjJIgD1TbMDtbDhhCw3xkRnR3tbXM2hfDm2CyGKsCYIqDhb Isguy0R5IoW4gL2fHztgtFu3kvYbd45QUuopJhqK/fyRPaEhDx0FE2/jhYdFPJo90DmqL5Pm LJPsa12ActP1cArwAeXFLejxsjfTZeQ49Ww7GK2ZXnoEXFp5fmy2zoCUy12f9245Hvx8ea2y Z9nB+f1CWOPLRctjUqqBWXyQI1cErN9lhJIaCbDFGs61JOBzgFq2q+VnYtWmUJzOtGOGcEfX Nckeve7ALaUiFxGje9zepN2d/xKj Message-ID: <7bfffda3-6673-4867-641c-761cad5b5f57@saltant.com> Date: Tue, 28 Jul 2020 19:12:49 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <5d4a1521-0739-2e24-1f7f-1dc7a96ea648@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ" X-Rspamd-Queue-Id: 4BGXX26wYdz421g X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=saltant.com header.s=twaddle header.b=EUpp/toU; dmarc=none; spf=pass (mx1.freebsd.org: domain of john@saltant.com designates 2001:470:8d6f:1001::2 as permitted sender) smtp.mailfrom=john@saltant.com X-Spamd-Result: default: False [-4.54 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[saltant.com:s=twaddle]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:8d6f::/48]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; HAS_ATTACHMENT(0.00)[]; DMARC_NA(0.00)[saltant.com]; NEURAL_SPAM_SHORT(0.06)[0.057]; NEURAL_HAM_LONG(-1.00)[-0.996]; NEURAL_HAM_MEDIUM(-1.00)[-1.001]; DKIM_TRACE(0.00)[saltant.com:+]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2020 23:12:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ Content-Type: multipart/mixed; boundary="vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW" --vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2020/07/27 23:11, Kubilay Kocak wrote: > On 28/07/2020 12:29 pm, John W. O'Brien wrote: >> On 2020/07/27 22:08, Kubilay Kocak wrote: >>> On 28/07/2020 5:43 am, John W. O'Brien wrote: >>>> Greetings FreeBSD Python, >>>> >>>> I have been mulling over a thing and would like the list's perspecti= ve >>>> before I decide whether to take action or not. >>>> >>>> security/py-pycryptodome will use devel/py-cffi if it is available [= 0] >>>> or ctypes otherwise [1]. This makes me just a little bit uneasy >>>> since it >>>> leaves the door open to certain Heisenbugs and red herrings. My >>>> question >>>> is whether it warrants adding devel/py-cffi to RUN_DEPENDS to ensure= >>>> consistency behavior? If not, what about as an OPTION for those who >>>> care >>>> about that sort of thing? >>>> >>>> [0] >>>> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Uti= l/_raw_api.py#L71-L161 >>>> >>>> >>>> [1] >>>> https://github.com/Legrandin/pycryptodome/blob/v3.9.8/lib/Crypto/Uti= l/_raw_api.py#L163-L263 >>>> >>>> >>>> [2] https://en.wikipedia.org/wiki/Heisenbug >>>> >>> >>> The Python Policy section on optional dependencies should cover this:= >>> >>> https://wiki.freebsd.org/Python/PortsPolicy#Optional_Dependencies >>> >>> tldr; >>> >>> For either at build or run-time optional dependencies (where the patt= ern >>> is, check if dep exists, use some code path if true, else use another= >>> code path), add OPTIONS for them. >> >> OK, so something like this? >> >> OPTIONS_DEFINE=3DCFFI >> OPTIONS_DEFAULT=3DCFFI >> >> CFFI_DESC=3DUse devel/py-cffi for low-level API instead of ctypes >> CFFI_RUN_DEPENDS=3D${PYTHON_PKGNAMEPREFIX}cffi>=3D0:devel/py-cffi@${PY= _FLAVOR} >> >=20 > That's fine. If the option is related to performance, id clarify that i= n > the description. >=20 >>> Re heisenbugs/etc, this is where support for running test suites in t= he >>> port are critical, let us know in #freebsd-python on freenode IRC if = you >>> need help getting these hooked up >> >> I've been looking forward to the day when [3] lands. Is there some oth= er >> way to run the test target in a poudriere build? >=20 > Yes, that would be nice. The other way is to testport -i to enter the > jail, at which point you can run `make test` from the port dir Is there any trick to ensuring that the TEST_DEPENDS have already been built, or are already installed in the jail, by that point? >> Of course, running test suites in the build environment wouldn't uncov= er >> bugs that are triggered by something that just happens to show up in t= he >> runtime environment. Enabling the OPTIONal things by default would >> clearly help. >=20 > The same as ports defaulting OPTIONS to enabled to benefit package > users, python's optional dependency policy is to do the same, such that= > the default port options are the ones that are tested. >=20 > Maintainers can and should do more comprehensive testing by testing > various combinations of PTIONS >=20 >> [3] https://github.com/freebsd/poudriere/pull/355 --=20 John W. O'Brien OpenPGP keys: 0x33C4D64B895DBF3B --vnRuTPj0Mii5DfFEqyaf6sQSyI1TwHQmW-- --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEUgT925O8rsvNs2oHIjgwc/pAJtYFAl8gsPFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDUy MDRGRERCOTNCQ0FFQ0JDREIzNkEwNzIyMzgzMDczRkE0MDI2RDYACgkQIjgwc/pA JtbxuwgA0I+TJGhmsqHjQ22VN5icvmYBmbJJqRlRdHPsH6q3IKMc+XtDdJxnM1+j yv5hzcgwCf/4vGEs0n92EXFKwRrPYXGfCZ8kKgrDlFXyUPrfbLINmqBKuHEoghiC rCFd/Dznx8gM4xK7uarFXl511tskg15+guKZUvYkpGYNE43zxuV/KLunqae18/z5 wfn8lYa5GBncuTeAkh/LllhD8VVbua6p0JjCJ7TXvADoHdk08CsZF4DwywSXUWrq fXrsvfvT2KXMu80r9WiV/2+7SS50q2Vz+ZQsz5U7B+wRn3Me+L/YtVHtER2Eivj+ qbasVhL/zf+mGxZKbPAYyWJUglG1VA== =jX6u -----END PGP SIGNATURE----- --9lNgNvJgvXHiHTuCfh3xIwn5ayOHkniTJ--