On Sun, Feb 16, 2014 at 8:27 AM, Taras <ox...@oxdef.info> wrote: > Andres, > > >> Not 100% a workaround, this is also a best practice! >> >> https://devcenter.heroku.com/articles/python-pip#the-basics > > > Could you please show at least one example of well-know software with such > requirements?
I went through this list of the Top10 Python projects by github (not sure how they choose that) and found many that either had no dependencies or were not in a format in which we could compare them with what we were talking about. Then found the following: * Strict dependencies used for this part of the project: https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt * Gt used for the user installable part: https://github.com/torchbox/wagtail/blob/master/setup.py * These guys install whatever is available on pypi: https://github.com/jmcarp/robobrowser/blob/master/requirements.txt * Flask installs Gt: https://github.com/mitsuhiko/flask/blob/master/setup.py * A mix between Gt and "whatever" is used here: https://github.com/Eugeny/ajenti/blob/dev/requirements.txt * Scrapy uses a mix of GT and "whatever": https://github.com/scrapy/scrapy/blob/master/requirements.txt * Django-tastypie uses the most complex of them all, which is rather interesting and makes me wonder why they didn't use "==" instead: https://github.com/toastdriven/django-tastypie/blob/master/setup.py . This is what I mean: 'dateutil(>=1.5, !=2.0)' The first one is an example of "==", the rest were just to show that now everyone agrees with me on what should be put on the requirements.txt file (or the setup.py, which acts like the same many times). Here are some other links where it says that "==" is a best practice: * https://lincolnloop.com/django-best-practices/deployment/bootstrap.html (Ctrl+f "Pin your dependencies") * http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements (Ctrl+f "When you specify your requirements") And most importantly, the pip-installer user's guide: * http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability "The requirements file was generated by pip freeze or you're sure it only contains requirements that specify a specific version." When we're talking about including a specific version in requirements.txt file or not, we're talking about repeatability. I want to be strict about repeatability, forcing all libraries to be exactly the ones I know will work because I've tested them in the CI; and your point is that it would be easier for users to install with less strict version requirements (which could lead to issues in some cases). Sadly, you believe in one thing and I can't seem to convince you of the benefits of ==, and the same applies the other way (I can't be convinced of the benefits of >=). Unless I hear a definitive reason on why == is bad, I won't change it. > By the way in w3af dev list I see fresh discussion about > similar problems in Mageia Linux distro > http://sourceforge.net/mailarchive/message.php?msg_id=31315478 I think that email thread was correctly answered? > >>> 1. Bring back dependency check with >= condition >> >> >> Disagree with this, it will bring issues in the future, and it not a >> best practice. >> >>> 2. We should separate core and plugins requirements >>> 3. We should make possible to run w3af without installation of all >>> plugins >>> dependencies. It can be with special argument to w3af_console called "-l >>> or >>> --lazy". This parameter will force w3af not to check plugins dependencies >>> (or even switch off dependency checker all!). >> >> >> You can disable checks for the dependencies which are used in plugins, >> not for the ones in the core or stuff will break in the middle of the >> scan. > > If default behavior will not be changed why you are still against > disabling it at all by special parameter? This parameter will be used only > by package maintainers who specifies these dependencies in the package and > geeks who don't want to install stuff they don't really need. Let me see if I understand, cause now I think I've read it differently. Lets be specific so I don't imagine things: * You will add a --lazy flag to w3af_console and w3af_gui * You will pass the value of --lazy to the dependency_check [0] function * If --lazy is False (the default) things will continue as they are now * If --lazy is True (only if the user specifies that flag) then instead of using strict version checking here [1] you will use ">=" * If --lazy is True you'll user => here [2] * You'll change the console and gtk-UI in such a way that when enabling a plugin that requires a dependency that is not installed, it will tell the user what it is required * You'll make sure that it is possible to run w3af with different versions of plugin dependencies * You'll check that it is possible to run w3af even when some plugin dependencies are not installed * This has automated testing so that in the future I'm sure things will continue to work as expected If that's it, I'm +1 on it! Sorry for not completely understanding your points in the previous email. PS: Still can't believe you'll work on this; I believe it is useless for 95% of the user base. Of course, if you believe it will be useful for you, and it is well coded / tested and doesn't disturb the defaults, I'll merge! [0] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py [1] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 [2] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
