On Thu, Feb 6, 2014 at 12:46 PM, Taras <ox...@oxdef.info> wrote: > Andres? > > What I'm suggesting is to bring back requirements for **minimal** version of > 3rd party lib
Not sure if I'm understanding your point. * The pdfminer issue occurred because we had this requirement: pdfminer (no version requirement) * If we specify something like: pdfminer>=3, then we're fine until they release version 4 which breaks their API and w3af breaks * If we specify the version: pdfminer==3, then we're fine for ever. PLEASE correct me if I'm doing something wrong! > В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: >> Andres, >> >> When I talked about packaging problem I meant problems with supported >> versions of e.g. python libs for current popular distros. Consider we have >> e.g. some Debian/Ubuntu distro and want to package/install w3af from >> official repo. w3af from feature/package branch requires lxml version >> exactly 2.3.2, but supported and packaged version of lxml for Ubuntu 13.10 >> is 3.2.0! >> >> $ apt-cache show python-lxml >> Package: python-lxml >> Priority: optional >> Section: python >> Installed-Size: 2390 >> Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> >> Original-Maintainer: Matthias Klose <d...@debian.org> >> Architecture: amd64 >> Source: lxml >> Version: 3.2.0-1 >> >> Because of that you can't simply make and provide w3af thought official >> repo. No one package maintainer will support several packaged minor >> versions of single lib.And for the end user there is only one way to >> install and use w3af. It is virtualenv + git clone :( >> >> > > 1. It makes impossible to package&install w3af, e.g. into deb package, >> > > doesn't it? >> > >> > That's a good question, I'm not packaging expert but I suppose there >> > is a solution? Also I suppose that this was an issue in the past, >> > >> > without the specific version requirement? Lets follow this timeline: >> > * (assume) w3af is packaged in debian. Requires extra package >> > >> > python-pdfminer-v1. No check for specific version of any pip package. >> > >> > * foo is another debian package. Requires extra package >> > >> > python-pdfminer-v2 * User installs w3af: apt-get install w3af >> > >> > * Run w3af, it works >> > * User installs foo: apt-get install foo >> > >> > - Command will warn that it will break the w3af install? (not >> > >> > sure, not a packaging expert) >> > >> > - Command will succeed and replace python-pdfminer-v1 with >> > >> > python-pdfminer-v2 >> > >> > * Run foo, it works >> > * Run w3af, it fails because now python-pdfminer-v2, which changes >> > >> > the API is installed >> > >> > > 2. If w3af requires 3rd party A version 1 and another application on the >> > > system also requires 3rd party A but version 1.1, how it will be solved >> > > by >> > > the user? >> > >> > First, lets understand that this was an issue in the past too, right? >> > >> > You can always use virtualenv: >> > $ virtualenv w3af-venv >> > $ . w3af-venv/bin/activate >> > (w3af-venv)$ cd w3af-repo >> > (w3af-venv)/w3af-repo$ ./w3af_console >> > (w3af-venv)/w3af-repo$ pip install ... >> > >> > All the packages are installed inside the w3af-venv directory, and >> > while your prompt says "w3af-venv" you're using that specific python >> > >> > Regards, >> > >> > > В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: >> > >> Taras, >> > >> >> > >> Added that because it is the best thing to do. Search the mailing >> > >> >> > >> list for the issue we had with pdfminer, what happen there was: >> > >> * w3af had a requirement for pdfminer, any version >> > >> * w3af worked without issues with version 1 of that library >> > >> * The pdfminer developers released version 2 of that library >> > >> * People trying to install w3af, and because the requirement >> > >> >> > >> didn't had any specific version installed pdfminer like "pip install >> > >> pdfminer" >> > >> >> > >> * w3af stopped working because pdfminer changed its API, and >> > >> >> > >> one of the functions we were calling wasn't there anymore >> > >> >> > >> * Fix> Add specific version matching for pip packages >> > >> >> > >> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@oxdef.info> wrote: >> > >> > I was wrong...I have working **master** branch :( >> > >> > >> > >> > Andres, why did you add requirement for **exact** match of versions >> > >> > in >> > >> > 'feature/module' branch? >> > >> > >> > >> > $ grep -B5 'version matches' >> > >> > w3af/core/controllers/dependency_check/dependency_check.py >> > >> > >> > >> > for w3af_req in pip_packages: >> > >> > if USE_PIP_MODULE: >> > >> > dependency_specs = w3af_req.package_name, >> > >> > w3af_req.package_version >> > >> > >> > >> > for dist in pip_distributions: >> > >> > if (dist.project_name, dist.version) == >> >> dependency_specs: >> > >> > # It's installed and the version matches! >> > >> > >> > >> > ... >> > >> > >> > >> > В письме от 26 января 2014 14:39:14 пользователь Taras написал: >> > >> >> Israel, I have working "feature/module" version of w3af on 13.10 >> > >> >> What problems do you have? >> > >> >> >> > >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho >> >> написал: >> > >> >> > Israel, >> > >> >> > >> > >> >> > Haven't tried with that specific version, but what's wrong > with: >> > >> >> > git clone g...@github.com:andresriancho/w3af.git >> > >> >> > cd w3af >> > >> >> > git checkout feature/module >> > >> >> > ./w3af_console >> > >> >> > >> > >> >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >> > >> >> > >> > >> >> > <israelzero...@gmail.com> wrote: >> > >> >> > > Hi, does anyone have a working way to install W3af on 13.10? >> > >> >> > > -- >> > >> >> > > Israel >> > >> >> > > >> > >> >> > > ---------------------------------------------------------------- >> > >> >> > > -- >> > >> >> > > --- >> > >> >> > > --- >> > >> >> > > -- >> > >> >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> > >> >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For >> > >> >> > > Critical Workloads, Development Environments & Everything In >> > >> >> > > Between. >> > >> >> > > Get a Quote or Start a Free Trial Today. >> > >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 >> > >> >> > > /o >> > >> >> > > stg >> > >> >> > > .cl >> > >> >> > > kt >> > >> >> > > rk _______________________________________________ >> > >> >> > > W3af-develop mailing list >> > >> >> > > W3af-develop@lists.sourceforge.net >> > >> >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > >> > >> > -- >> > >> > Taras >> > >> > https://www.oxdef.info >> > > >> > > -- >> > > Taras >> > > https://www.oxdef.info > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
