Yours, Abdur-Rahmaan Janhangeer pythonmembers.club | github Mauritius
On Thu, Jan 9, 2020 at 9:10 AM Andrew Barnert <abarn...@yahoo.com> wrote: > > On Jan 8, 2020, at 12:04, Abdur-Rahmaan Janhangeer <arj.pyt...@gmail.com> > wrote: > > OK, but I don’t see how any scheme that looks like any of the usual ones > could be adapted to work. > > The whole point of code signing is that I know that you signed the app with a > key that nobody else has access to, and nobody has changed the app since then > (plus additional stuff, but this is the relevant part). If that new zip B is > built on the fly on my machine by normal user software, it can only be signed > with a key that’s available to normal user software on my machine. Which > includes malicious software that wants to modify and re-sign the zip. (I’m > assuming you can’t rely on being online at this point.) Being online for checking is normally how you do it. Machine-based have the problems you stated. Now you'd be asking why dependencies have to be offline while sigining online. Well pulling dependencies from pip is like a normal python project. The zip advantage would just be a smaller code base. The app-like idea is to just run a file, not worrying about dependencies. > The env idea is to be retained, the thread was > asking where would the cache directory be located. > > > Why is that a problem? Most platforms have a standard location for putting > cache directories. Those that don’t, you just have to use something hardcoded. > Just a question. Not saying it's a problem. > More importantly, how does your solution make anything easier? Bundling the > cache back up into another zipfile and then trying to figure out where that > zipfile is Was proposing the generated zipfile is in the same folder as the original zipfile Another idea is to have a cross-platform code-base only zip. In the info file we can have target os. We need to specify this only in the case of c-based libs. It will then generate the required zips bundled with libs for that os. main zip -> zip for win, zip for mac, zip for linux > Or maybe it’s fine to not solve it. Mac-specific apps often have to be > updated when a new macOS comes out, so if platform-agnostic apps also often > have to be updated when a new anything comes out, maybe that’s no big deal? It's on the software author to ship a new release. > >> But there’s a bigger problem than just distribution. Some extension modules >> are only extension modules for speed, like numpy. But many are there to >> interface with C libraries. If my app depends on PortAudio, distributing the >> extension module as wheels is easy, but it doesn’t do any good unless you >> have the C library installed and configured on your system. > > > Oh that's a user problem, > > > OK, but it seems like if you’re not solving it, you don’t really have > portable apps. An app that can run out of the box on every machine except > most Windows systems, or an audio app that runs on every machine but usually > only plays audio on Linux, etc., doesn’t seem very portable. > > Conda, py2exe, py2app, platforms’ package managers, etc. all do solve this > problem. Of course most of them don’t do so in a platform-agnostic way, which > makes it a lot easier… But still, why would I want to download the zipapp > instead of brew install or downloading a Mac-specific py2app app or something > else that will definitely work instead of only maybe working and otherwise > punting on it as a user problem that I have to figure out how to solve > myself? The fact that I can copy that same zipapp to a Windows box and then > figure out how to solve the same user problem on a different platform doesn’t > seem like a huge win. What i'm saying is that while it's true that for example a lib is for interfacing with a C library but it's beyond Python to make sure that the C library is actually present on your machine. This is a zipapp enancement which is a bundled format. Native execs on the other hand include in lots of os-specific stuffs that has no relation whatsoever with Python. At this point i need to - See conda - Come up with a viable online signing scheme. According to me machine-based signing is just not worth it. - As Mr. Barry Scott suggested, cover the pros and cons of existing zipapp based solutions - As Mr. Christopher suggested, i need to come up with demos. I'll code the demos .. Of a wheels included zip .. Of a zip that generates Os-specific zips .. Of Mr. Andrew's pypi-based zips _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/VXXGCJTGHEWOLFTL4DQWIUFZQDCOANY7/ Code of Conduct: http://python.org/psf/codeofconduct/