-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python 3.12 update. #58
Conversation
d25e663
to
87713dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes
Moving to 3.12 is an important step toward 3.13
Maybe, in the future we should always focus on gettting the next Python version, instead of trying to jump from 3.11 to 3.13 for example
Can we update the docker tests, to include centos 8 and 9 ?
I have found this issue related to the new libnsl dependency
conda-forge/rasterio-feedstock#220
I hope that we can get the "-dev" packages removed from our build system, and then the Python configure script will disable those modules
@@ -36,6 +40,12 @@ jobs: | |||
timeout-minutes: 5 | |||
run: bash ./build.sh test | |||
|
|||
# Commit changed requirements.txt back to the repository | |||
- uses: chevah/git-auto-commit-action@HEAD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not happy with this ... but we can look to fix this in a separate PR
The CI run should not modify the source code
Can we have the "requirements.txt" manually updated before a push ?
I guess that this is a question for #62
What we can do as part of the CI, is make sure that "requirements.txt" doesn't need an update during a CI run
We have something similar for chevah/server
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What we can do as part of the CI, is make sure that "requirements.txt" doesn't need an update during a CI run
We have something similar for chevah/server
Not sure what that would be. I know it's used for cache updates, but what do you mean by "making sure it doesn't need an update"?
@@ -0,0 +1,5 @@ | |||
pip==24.2 | |||
psutil==6.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to distribute psutil
with pythia ?
For the long term, my expectation is that pythia, will be just python + embedded pip
No other requirements.
setuptools / pywin32 / pycparser can all be installed later in chevah/server and chevah/compat via pip
from our PyPI mirror
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has been added as requested through chevah/python-package#125.
It can also be removed as requested. I've added a ticket to deal with all this: #66
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note though that psutil
doesn't have a musl wheel, so we need to build it until upstream changes its mind. More at giampaolo/psutil#2126
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks. That's ok. We just need to add a comment that psutils
is still needed and link to the upstream bug report.
In theory, on alpine, we can build the wheel for psutil and then copy it to bin.chevah.com .. it will be available as wheel for Alpine just for us
@@ -37,7 +37,10 @@ chevahbs_try() { | |||
|
|||
|
|||
chevahbs_cp() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs a comment ... I have no idea why we need this and what it does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's copying needed files after a successful build. All the commands in chevahbs
for this library are also cp
commands.
src/xz/chevahbs
Outdated
@@ -37,7 +37,10 @@ chevahbs_try() { | |||
|
|||
|
|||
chevahbs_cp() { | |||
execute "${MAKE_CMD[@]}" install DESTDIR="$INSTALL_DIR" | |||
# xz's installation copies binaries too, but there's no need for them. | |||
execute cp -R src/liblzma/api/* "$INSTALL_DIR"/include/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need these files in the install dir ?
What is the "install dir" ?
I expect them to be needed in the build dir , but they should not be needed for the final package
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$INSTALL_DIR
is where the built libraries and Python are installed (or simply copied as needed).
Pruning files needed there but not wanted in the final dist package is done through cleanup_install_dir()
in functions_build.sh
:
Line 172 in ba80a30
cleanup_install_dir() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added #67 for this.
allowed_deps=[ | ||
'libc.so.6', | ||
'libcrypt.so.1', | ||
'libdl.so.2', | ||
'libm.so.6', | ||
'libnsl.so.1', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this library directly needed by Python 3.12?
Can we build python without NIS module
https://docs.python.org/3/library/nis.html
This module is not used by the Chevah repos ... and will be removed soon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't bother much about it, because it's so small and unimportant, soon to be removed.
We used to patch setup.py
for disabling such modules, but that file is gone. Other ideas of how to do this with 3.12?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops… needs-changes |
Thanks for the review!
These are not actually "tests", but rather builds. So we build the musl and glibc Linux packages through Docker on Alpine Linux 3.15 and Amazon Linux 2. Building on other platforms would result in false positives, e.g. for RHEL 8/9 and clones, the build is going to be contaminated with unwanted dependencies.
I've seen that this is part of glibc on Amazon Linux 2, thus not removable. Checked a number of distro containers, all had Obviously, this is a problem that might arise again in the future. Not sure how to best check for this, now that tests in the server repo are not done on supported platforms. But why didn't
Well, on Amazon Linux 2 this would be |
The dependency on I've added tickets for the other suggestions, but left the conversations open until your resolution. Let me know if I missed something. Thanks! needs-review |
Maybe Oracle Linux 8 has that library ... I think that we are ok.
True. Makes sense. well... what we can do is create separate docker test runs as part of GitHub actions.
That's all With GitHub Action Artifacts we can "publish" the pythia .tar.gz files in kind of a temporary location More info about GitHub Artifacts here https://github.com/actions/upload-artifact |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Let's have this released.
We can then merge compat ...and also I am looking forward to have this included in chevah/server
Many thanks again! Great work!
Scope
This was supposed to fix #57.
Changes
Updated Python to version 3.12.7, as there's no
pywin32
for Python 3.13 for now. Fixes CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492.Also updating OpenSSL for Python's
ssl
module to 3.0.15 on all platforms, fixing CVE-2024-6119, CVE-2024-6119. On Windows, CVE-2024-6119 and CVE-2024-6119 are now fixed too.Python modules version updates:
pip
to 24.2setuptools
to75.1.0(70.3.0 to match the version in server repo)psutil
to 6.0.0.Updated the Alpine Linux version to build on to 3.15 (with musl 1.2.2). Therefore, musl 1.1.x distributions are no longer supported. This follows upstream
cryptography
, which only builds musl 1.2 wheels since version 43.0.0.Drive-by changes:
libedit
on macOS, where it's a system lib.safety
and addedrequirements.txt
to leverage GitHub's own security checks.requirements.txt
file is auto-updated when building successfully on Windows through GHA.pythia.*
from server repo with minor improvements.xz
stuff, and by bzip'ing copied header files.Testing
Automated.