Yours,
Abdur-Rahmaan Janhangeer
pythonmembers.club | github
Mauritius
On Thu, Jan 9, 2020 at 9:10 AM Andrew Barnert <abarn...@yahoo.com> wrote:
>
> On Jan 8, 2020, at 12:04, Abdur-Rahmaan Janhangeer <arj.pyt...@gmail.com>
> wrote:
>
> OK, but I don’t see how any scheme that looks like any of the usual ones
> could be adapted to work.
>
> The whole point of code signing is that I know that you signed the app with a
> key that nobody else has access to, and nobody has changed the app since then
> (plus additional stuff, but this is the relevant part). If that new zip B is
> built on the fly on my machine by normal user software, it can only be signed
> with a key that’s available to normal user software on my machine. Which
> includes malicious software that wants to modify and re-sign the zip. (I’m
> assuming you can’t rely on being online at this point.)
Being online for checking is normally how you do it. Machine-based have the
problems you stated.
Now you'd be asking why dependencies have to be offline while sigining
online. Well pulling dependencies from pip is like a normal python project.
The zip advantage would just be a smaller code base. The app-like idea
is to just run a file, not worrying about dependencies.
> The env idea is to be retained, the thread was
> asking where would the cache directory be located.
>
>
> Why is that a problem? Most platforms have a standard location for putting
> cache directories. Those that don’t, you just have to use something hardcoded.
>
Just a question. Not saying it's a problem.
> More importantly, how does your solution make anything easier? Bundling the
> cache back up into another zipfile and then trying to figure out where that
> zipfile is
Was proposing the generated zipfile is in the same folder as the
original zipfile
Another idea is to have a cross-platform code-base only zip.
In the info file we can have target os. We need to specify
this only in the case of c-based libs. It will then generate
the required zips bundled with libs for that os.
main zip -> zip for win, zip for mac, zip for linux
> Or maybe it’s fine to not solve it. Mac-specific apps often have to be
> updated when a new macOS comes out, so if platform-agnostic apps also often
> have to be updated when a new anything comes out, maybe that’s no big deal?
It's on the software author to ship a new release.
>
>> But there’s a bigger problem than just distribution. Some extension modules
>> are only extension modules for speed, like numpy. But many are there to
>> interface with C libraries. If my app depends on PortAudio, distributing the
>> extension module as wheels is easy, but it doesn’t do any good unless you
>> have the C library installed and configured on your system.
>
>
> Oh that's a user problem,
>
>
> OK, but it seems like if you’re not solving it, you don’t really have
> portable apps. An app that can run out of the box on every machine except
> most Windows systems, or an audio app that runs on every machine but usually
> only plays audio on Linux, etc., doesn’t seem very portable.
>
> Conda, py2exe, py2app, platforms’ package managers, etc. all do solve this
> problem. Of course most of them don’t do so in a platform-agnostic way, which
> makes it a lot easier… But still, why would I want to download the zipapp
> instead of brew install or downloading a Mac-specific py2app app or something
> else that will definitely work instead of only maybe working and otherwise
> punting on it as a user problem that I have to figure out how to solve
> myself? The fact that I can copy that same zipapp to a Windows box and then
> figure out how to solve the same user problem on a different platform doesn’t
> seem like a huge win.
What i'm saying is that while it's true that for
example a lib is for interfacing with a C library
but it's beyond Python to make sure that the
C library is actually present on your machine.
This is a zipapp enancement which is a bundled
format. Native execs on the other hand include in
lots of os-specific stuffs that has no relation
whatsoever with Python.
At this point i need to
- See conda
- Come up with a viable online signing scheme.
According to me machine-based signing is just
not worth it.
- As Mr. Barry Scott suggested, cover the pros and
cons of existing zipapp based solutions
- As Mr. Christopher suggested, i need to come up
with demos. I'll code the demos
.. Of a wheels included zip
.. Of a zip that generates Os-specific zips
.. Of Mr. Andrew's pypi-based zips
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/VXXGCJTGHEWOLFTL4DQWIUFZQDCOANY7/
Code of Conduct: http://python.org/psf/codeofconduct/
