Opened 5 years ago

Closed 4 years ago

#10009 closed enhancement (fixed)

rethink the dependencies handling of PTBB

Reported by: infinity0 Owned by: dcf
Priority: Low Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The heavy amount of custom shell script just to get dependencies scares me and is a maintenance liability. py2exe at least automatically includes transitive deps in the build. I had a look at modulefinder but it is behaving in a weird way - for example, running my attached script on flashproxy-client for some reason gives setuptools as a dependency. There are also many false negatives due to conditional-imports, a feature unique to python.

Also, do we have some usage statics for the GNU/Linux bundles? I should think most people use their distro's package manager for this... For Mac OS X we have to do a custom package in any case. :(

Child Tickets

Attachments (1)

find_transitive_deps.py (488 bytes) - added by infinity0 5 years ago.

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by infinity0

Attachment: find_transitive_deps.py added

comment:1 in reply to:  description Changed 5 years ago by dcf

Replying to infinity0:

The heavy amount of custom shell script just to get dependencies scares me and is a maintenance liability. py2exe at least automatically includes transitive deps in the build. I had a look at modulefinder but it is behaving in a weird way - for example, running my attached script on flashproxy-client for some reason gives setuptools as a dependency. There are also many false negatives due to conditional-imports, a feature unique to python.

I think the main reason we copy packages individually and manually is that we need to be careful to comply with the licenses of all the software we ship. Usually all it takes is including a copy of their license and copyright notice. We also, as you say, want to be careful about not including packages that are not really needed, just for size reasons.

One way would perhaps be to use modulefinder along with hints, like py2exe uses. Often you have to tell py2exe about specific packages to include or exclude. We could add special guard code to check if anything got copied in that we don't expect (that we might need a license for).

Also, do we have some usage statics for the GNU/Linux bundles? I should think most people use their distro's package manager for this... For Mac OS X we have to do a custom package in any case. :(

Do you mean, are people using distro packages to run the Tor Browser Bundle, rather than downloading the binary tarball? I think that practice is not recommended, because Tor Browser isn't packaged, and it's dangerous to try to hook up a different browser to Tor. There is a ticket or other discussion somewhere about packaging Tor Browser for Debian or Ubuntu. (Micah Lee made a package that repacks the torproject.org bundles, but that's a bit different.)

If you mean, why can't we just rely on already installed packages for some of the dependencies of the bundle, but it also means people would have to apt-get install python-twisted and a bunch of other things before using the bundle, and would prevent you from, for example, running a copy of the bundle from a USB drive on someone else's computer.

I don't know of any usage counts and I suspect none exist (by design). I use the GNU/Linux bundles...

comment:2 Changed 4 years ago by dcf

Resolution: fixed
Status: newclosed

This is obsolete with the gitian bundles.

Note: See TracTickets for help on using tickets.