On Sat, Nov 2, 2019 at 9:18 PM Thomas Petazzoni <thomas.petazzoni@xxxxxxxxxxx> wrote: > > Hello Nicolas, > > On Sat, 2 Nov 2019 18:28:09 +0100 > Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote: > > > When selinux module is imported from a Python script, the content of > > __init__.py is compiled into bytecode and the result is saved into a > > file if it is allowed. For example, when root runs with Python 3.7 a > > script that uses "import selinux" on a system where SELinux is in > > permissive mode, this file may be created: > > > > /usr/lib/python3.7/site-packages/selinux/__pycache__/__init__.cpython-37.pyc > > > > Prevent this file from being dynamically created by creating it when > > libselinux is installed, using "python -m compileall". > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > > As far as I know, this not typically done by "setup.py install", and > this is generally left to distributions. Hello, this is done when a parameter such as "--optimize=1" is given to "python setup.py install". Such a parameter is described in Arch Linux packaging guidelines (https://wiki.archlinux.org/index.php/Python_package_guidelines#distutils). Nevertheless I agree it seems to be left to distributions whether to bytecode-compile Python modules. > In the context of Buildroot [1], we do the byte-compilation all at once > at the very end of the build of all packages. Having individual > packages do their own byte-compilation would be annoying. What is the reference you are using for [1]? Why would this be annoying? For example, do you use a non-standard way of generating the bytecode which is not compatible with the one that would be generated by the package itself? > If you would like to have this byte-compilation done by the SELinux > Makefile, could you make it optional (even if you decide to enable it > by default) ? My main motivation behind this patch is to remove lines such as this one from Arch Linux's PKGBUILD: /usr/bin/python3 -m compileall "${pkgdir}/$(/usr/bin/python3 -c 'import site; print(site.getsitepackages()[0])')" (Example from https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=selinux-python&id=dd87f7ae1d636a02bf404ed527a27022ee5d2ab3) As every Makefile installing Python scripts has everything that is needed to build this command line, it is much simpler for "make install" to perform the bytecode-compilation directly instead. Nevertheless, as there is an interest to keep bytecode-compilation out of the "make && make install" process, I will rework my patches to make it optional (so that Arch Linux and maybe other distributions can invoke it, but not Buildroot). Thanks, Nicolas
