Hi Vasudev, Thanks for filing this bug report. While I understand the challenges of carrying embedded copies, this is mainly does for convenience because apt-offline has to run on other platforms too. Also different variations of Linux distributions have different behavior and philosophy.
On Wed, 2015-11-04 at 21:41 +0530, Vasudev Kamath wrote: > Hi, > > apt-offline contains embedded code copy of magic.py from python- > magic, > though file is renamed as AptOfflineMagicLib.py. I diffed this file > against the latest version of magic.py from python-magic and there is > no difference. > Yes. When I moved from my previous library to the system defined one, I too looked at this. The problem is with what Python upstream treats as the magic lib vs what standard Linux distributions treat as magic lib. As per python: https://github.com/ahupp/python-magic/blob/master/magic.py https://pypi.python.org/pypi/filemagic/1.6 vs WHat, for example, Debian prefers. And also, what I prefer for apt- offline: http://www.darwinsys.com/file/ So that is the main reason to carry the library embedded. Because if there is a user with a pypi based magic library, he may run into unwanted problems. IIRC, I ran into some of those "time wasting" problems, and thus decided to embed this library. And this is not the only library we embed. There's the debianbts library which is embedded, though it is needed because on Windows, it will otherwise not be easy for the user. So adding dependencies to the packages does not help because I expect users to also unzip the apt- offline archive and be able to run it. For most of the embedded libraries, my first preference is to probe for system installed libraries. Embedded libs are only a fallback plan. But I think for magic, this is the exception. Because some of the Linux distributions have moved with python-magic from pypi. > I would suggest its better to drop this code and depend on > python-magic package. Otherwise better to report this as embeded code > copy document maintained by security team > I hope I've clarified the reasoning well. I like the latter part of the comment about reporting it to security team. Perhaps I'll keep this bug open to track it for that purpose. > https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code- > copies?revision=37555&view=markup If you have other approaches for solving the library problem, please suggest. But I'd not want it to be at the cost of user inconvenience. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
signature.asc
Description: This is a digitally signed message part
