| Message ID | 20190619142630.26648-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux-testsuite: fix old python shebang in tests/overlay/access | expand |
On Wed, Jun 19, 2019 at 10:26 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > > /usr/bin/python is no longer installed by default, so this test > script fails on default installs. > Best practice guidance appears to be to switch to using > /usr/bin/python3 instead, per > https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ > > Fixes: #46 > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > tests/overlay/access | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I think it would be better to reference the Python upstream guidance regarding "python3" instead of the Fedora packaging guidelines. Keeping things distro agnostic is a good goal whenever possible. * https://www.python.org/dev/peps/pep-0394 > diff --git a/tests/overlay/access b/tests/overlay/access > index 5a47eb145904..e50d5b402ebd 100755 > --- a/tests/overlay/access > +++ b/tests/overlay/access > @@ -1,4 +1,4 @@ > -#!/bin/python > +#!/usr/bin/python3 > import os, sys > try: > acc=eval("os.%s" % sys.argv[2]) > -- > 2.20.1
On 6/19/19 10:40 AM, Paul Moore wrote: > On Wed, Jun 19, 2019 at 10:26 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: >> >> /usr/bin/python is no longer installed by default, so this test >> script fails on default installs. >> Best practice guidance appears to be to switch to using >> /usr/bin/python3 instead, per >> https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ >> >> Fixes: #46 >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> >> --- >> tests/overlay/access | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) > > I think it would be better to reference the Python upstream guidance > regarding "python3" instead of the Fedora packaging guidelines. > Keeping things distro agnostic is a good goal whenever possible. > > * https://www.python.org/dev/peps/pep-0394 When I looked for guidance in response to the github issue for selinux-testsuite [1], there seemed to be some ambiguity left by pep-0394: 1) It says "One exception to this is scripts that are deliberately written to be source compatible with both Python 2.x and 3.x. Such scripts may continue to use python on their shebang line.". This leaves open the possibility of staying with "/usr/bin/python" as far as the pep is concerned since the script itself is not version-specific in any way, but doing so is not permitted by the Fedora guidelines and breaks on default installs of Fedora. 2) It doesn't specify whether or not one should use "/usr/bin/env python3" or just "/usr/bin/python3". The github issue reported had originally suggested the former, but this is also prohibited by the Fedora guidelines. That's why I went with the Fedora guidelines. Happy to use whatever but at least that particular PEP doesn't clearly motivate the use of "/usr/bin/python3" here. [1] https://github.com/SELinuxProject/selinux-testsuite/issues/46 > >> diff --git a/tests/overlay/access b/tests/overlay/access >> index 5a47eb145904..e50d5b402ebd 100755 >> --- a/tests/overlay/access >> +++ b/tests/overlay/access >> @@ -1,4 +1,4 @@ >> -#!/bin/python >> +#!/usr/bin/python3 >> import os, sys >> try: >> acc=eval("os.%s" % sys.argv[2]) >> -- >> 2.20.1 >
On Wed, Jun 19, 2019 at 12:04 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 6/19/19 10:40 AM, Paul Moore wrote: > > On Wed, Jun 19, 2019 at 10:26 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > >> > >> /usr/bin/python is no longer installed by default, so this test > >> script fails on default installs. > >> Best practice guidance appears to be to switch to using > >> /usr/bin/python3 instead, per > >> https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ > >> > >> Fixes: #46 > >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > >> --- > >> tests/overlay/access | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > > > > I think it would be better to reference the Python upstream guidance > > regarding "python3" instead of the Fedora packaging guidelines. > > Keeping things distro agnostic is a good goal whenever possible. > > > > * https://www.python.org/dev/peps/pep-0394 > > When I looked for guidance in response to the github issue for > selinux-testsuite [1], there seemed to be some ambiguity left by pep-0394: > > 1) It says "One exception to this is scripts that are deliberately > written to be source compatible with both Python 2.x and 3.x. Such > scripts may continue to use python on their shebang line.". This leaves > open the possibility of staying with "/usr/bin/python" as far as the pep > is concerned since the script itself is not version-specific in any way, > but doing so is not permitted by the Fedora guidelines and breaks on > default installs of Fedora. [SIDE NOTE: for some reason my mail is acting a bit odd - this got buried in a folder and didn't bubble up like normal - my apologies on the delay, I didn't see it until I was checking for patches today.] Yes, I saw that too but considering that we are about six months away from python2 going EOL I think it is reasonable to ignore python2 for upstream work at this point. > 2) It doesn't specify whether or not one should use "/usr/bin/env > python3" or just "/usr/bin/python3". The github issue reported had > originally suggested the former, but this is also prohibited by the > Fedora guidelines. My initial reaction was that we should "/usr/bin/env" until I saw that bit in the Fedora guidelines, which I honestly don't understand. Does anyone with a better understanding of cross-distro userspace know why "/usr/bin/env" is bad? > That's why I went with the Fedora guidelines. Happy to use whatever but > at least that particular PEP doesn't clearly motivate the use of > "/usr/bin/python3" here. > > [1] https://github.com/SELinuxProject/selinux-testsuite/issues/46 Fair enough, I'll go ahead and merge it since it does fix a real problem. I did make once change to convert the "Fixes: #46" to use the full URL, e.g. "Fixes: https://github.com..."; I think this helps provide some necessary context (what if 10yrs from now we aren't on github, what does "#46" reference?). This is starting to stretch the topic a bit, but as far as "use whatever" is concerned, I'd really like to see us keep moving towards a more distro agnostic approach when it comes to upstream development/testing/etc. While SELinux has always had a "special" relationship with Fedora/RH, we've seen SELinux grow quite a bit over the years and I think it would be good to start trying to bring other distros up to the same level as Fedora when it comes to SELinux support. I think one easy first step is to start looking beyond the Fedora guidelines and see what other distros do/recommend. > >> diff --git a/tests/overlay/access b/tests/overlay/access > >> index 5a47eb145904..e50d5b402ebd 100755 > >> --- a/tests/overlay/access > >> +++ b/tests/overlay/access > >> @@ -1,4 +1,4 @@ > >> -#!/bin/python > >> +#!/usr/bin/python3 > >> import os, sys > >> try: > >> acc=eval("os.%s" % sys.argv[2]) > >> -- > >> 2.20.1 > > >
On Fri, Jun 21, 2019 at 5:45 PM Paul Moore <paul@paul-moore.com> wrote: > > On Wed, Jun 19, 2019 at 12:04 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On 6/19/19 10:40 AM, Paul Moore wrote: > > > On Wed, Jun 19, 2019 at 10:26 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > > >> > > >> /usr/bin/python is no longer installed by default, so this test > > >> script fails on default installs. > > >> Best practice guidance appears to be to switch to using > > >> /usr/bin/python3 instead, per > > >> https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ > > >> > > >> Fixes: #46 > > >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > > >> --- > > >> tests/overlay/access | 2 +- > > >> 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > I think it would be better to reference the Python upstream guidance > > > regarding "python3" instead of the Fedora packaging guidelines. > > > Keeping things distro agnostic is a good goal whenever possible. > > > > > > * https://www.python.org/dev/peps/pep-0394 > > > > When I looked for guidance in response to the github issue for > > selinux-testsuite [1], there seemed to be some ambiguity left by pep-0394: > > > > 1) It says "One exception to this is scripts that are deliberately > > written to be source compatible with both Python 2.x and 3.x. Such > > scripts may continue to use python on their shebang line.". This leaves > > open the possibility of staying with "/usr/bin/python" as far as the pep > > is concerned since the script itself is not version-specific in any way, > > but doing so is not permitted by the Fedora guidelines and breaks on > > default installs of Fedora. > > [SIDE NOTE: for some reason my mail is acting a bit odd - this got > buried in a folder and didn't bubble up like normal - my apologies on > the delay, I didn't see it until I was checking for patches today.] > > Yes, I saw that too but considering that we are about six months away > from python2 going EOL I think it is reasonable to ignore python2 for > upstream work at this point. > > > 2) It doesn't specify whether or not one should use "/usr/bin/env > > python3" or just "/usr/bin/python3". The github issue reported had > > originally suggested the former, but this is also prohibited by the > > Fedora guidelines. > > My initial reaction was that we should "/usr/bin/env" until I saw that > bit in the Fedora guidelines, which I honestly don't understand. Does > anyone with a better understanding of cross-distro userspace know why > "/usr/bin/env" is bad? Hello, As far as I understand, the choice of using /usr/bin/env or not in the shebang of a script depends on how you want your dependencies to load on a system: * Using "/usr/bin/env python3" (or with python or python2) allows using a virtualenv where all Python dependencies are installed. It makes it easier for two projects that require conflicting version of their dependencies to be used together on a system, and it makes it possible for an unprivileged user to use this script without requiring an administrator to install dependencies in system-wide directories (like /usr/lib/python3.7/site-packages/). * Using "/usr/bin/python3" makes sense when you want the script to use the dependencies that have been installed system-wide, for example using packages from your distribution. This way, you kind-of control which version of the dependencies are used: they are the one that are packaged by the distribution. This is why it makes sense for Fedora's guidelines to prefer this other /usr/bin/env. By the way, I just got back from some holidays and I am reading the messages from the mailing list after 1-2 months away. Therefore I might have missed some context in your question that would make my answer look like I am answering to something else. Sorry about that. Best, Nicolas
diff --git a/tests/overlay/access b/tests/overlay/access index 5a47eb145904..e50d5b402ebd 100755 --- a/tests/overlay/access +++ b/tests/overlay/access @@ -1,4 +1,4 @@ -#!/bin/python +#!/usr/bin/python3 import os, sys try: acc=eval("os.%s" % sys.argv[2])
/usr/bin/python is no longer installed by default, so this test script fails on default installs. Best practice guidance appears to be to switch to using /usr/bin/python3 instead, per https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ Fixes: #46 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- tests/overlay/access | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)