#66 closed defect (fixed)
install requires pyOpenSSL (for secure mode)
| Reported by: | Zooko | Owned by: | Brian Warner |
|---|---|---|---|
| Priority: | major | Milestone: | 0.2.8 |
| Component: | packaging | Version: | 0.2.5 |
| Keywords: | Cc: |
Description
Using easy_install to install foolscap with its ability to have secure connections fails because foolscap doesn't declare its dependency on pyOpenSSL, although it does declare its dependency on twisted:
We could define, in setuptools terms an "extra" feature of foolscap, which is secure connections.
This could be expressed in the setup.py as something like this:
extras_require = {
'secure_connections': ["pyOpenSSL>=0.6"],
}
However it might be better to simply make foolscap always require pyOpenSSL (and for that matter it might be better to make it always create and use secure connections). This idea in the general case has been persuasively advocated by Ian Grigg: There Is Only One Mode And It Is Secure..
In order to do that, of course, we simply need add "pyOpenSSL >= 0.6" to the list of install_requires in the setup.py.
Change History (8)
comment:1 Changed 16 years ago by
comment:2 Changed 16 years ago by
| Milestone: | undecided → 0.2.8 |
|---|
comment:3 Changed 16 years ago by
Note that because of http://twistedmatrix.com/trac/ticket/3218 -- http://allmydata.org/trac/tahoe/ticket/402 , you might want to require a version of pyOpenSSL not == 0.7, which would be expressed.
extras_require = {
'secure_connections': ["pyOpenSSL>=0.6,!=0.6"],
}
comment:4 Changed 16 years ago by
Whoops, that should have said:
extras_require = {
'secure_connections': ["pyOpenSSL>=0.6,!=0.7"],
}
comment:5 Changed 16 years ago by
Now that https://bugs.launchpad.net/pyopenssl/+bug/236190 (funny permission bits in pyOpenSSL-0.6.tar.gz confuse tarfile.py) is resolved, people who use easy_install or setuptools (including the default process to install Tahoe from source) will be able to resolve the dependency on pyOpenSSL.
Currently, they will do this by getting pyOpenSSL v0.6, and in the future when a new pyOpenSSL is released, they will get that.
Hm. This means that if the pyOpenSSL maintainers release a new version of pyOpenSSL with a version number higher than 0.6 and not equal to 0.7, and if that new version still has this bug in it, then this bug will start hitting us again. Hm. Weird packaging issue.
I guess for the moment we are going to bet that the pyOpenSSL maintainers won't do that. I suppose the alternative is to require pyOpenSSL == 0.6, so that people can't conveniently use foolscap with a newer pyOpenSSL until Brian releases a new foolscap that loosens that requirement.
comment:6 Changed 16 years ago by
Hm. Actually writing "pyOpenSSL>=0.6,!=0.7" is incorrect.
Newer version of pyOpenSSL can come out which are unchanged with respect to this issue. Newer versions of Twisted, on the other hand, will hopefully fix this issue.
Since setuptools doesn't allow the expression of disjunctions of requirements, the only correct answer for now is "pyOpenSSL==0.6".
Here is a wishlist ticket for setuptools to support more expressive requirements:
http://bugs.python.org/setuptools/issue22 (wish: more expressive requirements)
comment:7 Changed 16 years ago by
| Owner: | set to Brian Warner |
|---|---|
| Status: | new → assigned |
I'm going to declare an "extras" dependency on pyOpenSSL (unversioned), because:
- pyOpenSSL 0.6 basically works, it just causes unit test failures (the #62 bug only affects waiting for connection shutdown, which is pretty rare in actual application code)
- debian/sid has pyOpenSSL 0.7 now, and is likely to until upstream makes a new release with a fix, and if foolscap refuses to run with 0.7 then those debian systems (on which the admins haven't pinned 0.6 in place) will unnecessarily fail
When pyOpenSSL 0.8 is in debian, I'll revisit the dependency declaration to make it avoid 0.7 .
comment:8 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
done, in [62845f6621c42e1dd666023b17d82a3756a17278].
I've opened a new ticket to consider whether foolscap should unconditionally require pyOpenSSL: #67.
It will take me some time to decide whether Foolscap will require pyOpenSSL unconditionally. While I agree with your and Ian's philosophy, there are users of foolscap who have preferred to not use crypto for various reasons, and I need to make sure I respect their interests (or convince them otherwise).
Adding it as an 'extras' seems feasible in the shorter term. If you want this for Tahoe #438, it sounds like we need a new Foolscap release at least a couple of days before the Tahoe release, which means this change needs to be in, like, yesterday.