Intent to retire python2-setuptools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Fedorans and especially Pythonistas.

I'd like to retire python2-setuptools from Fedora 35+.
It contains utilities to execute code downloaded from the internet and it has not been updated for 2 years. It has a potential of a security hole, although I am not currently aware of any. 


Unfortunately, 6 packages still (Build)Require python2-setuptools in Fedora 35:

https://fedora.portingdb.xyz/pkg/python2-setuptools/


I've split them into 3 categories:


1) Trac plugins: trac-(customfieldadmin|monotone|watchlist)-plugin
Note: trac-monotone-plugin is the only package that Requires python2-setuptools in Fedora 35 on runtime. 

Trac has been already updated to Python 3 in Fedora 34+

The plugins don't (and cannot) work with Python 2 when Trac runs on Python 3.
Bugzillas exists for years:

https://bugzilla.redhat.com/show_bug.cgi?id=1739034
https://bugzilla.redhat.com/show_bug.cgi?id=1739024
https://bugzilla.redhat.com/show_bug.cgi?id=1739042
They were updated this February to point out the uselessness of the packages, but nothign happened. I have a clear conscience if the packages stop building (and installing in case of trac-monotone-plugin). 


2) Packages that BuildRequire python2-setuptools but don't use it: NFStest

Pull request exists to remove the unused dependency:

https://src.fedoraproject.org/rpms/NFStest/pull-request/2



3) Packages that BuildRequire python2-setuptools but don't have to:
                            python2-cairo, python-psutil

The two packages use this concept in setup.py:

 try:
     from setuptools import setup
 except ImportError:
     from distutils.core import setup

technically, they don't need setuptools to build, the dependency is optional.
Unfortunately they used setuptools to build in the past and if we remove it, the will change the .egg-info metadata directory to a file. Hence they will hit a well known limitation in RPM: 

https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/

To compensate a rather ugly scriptlet is needed. The changes were proposed:

https://src.fedoraproject.org/rpms/python-psutil/pull-request/10
https://src.fedoraproject.org/rpms/python2-cairo/pull-request/1


However, I'd rather maintain the 2 scriptlets than python2-setuptools.


Please let me know if you see a problem.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux