-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support versioned symbols with more underscores #73
Conversation
@@ -14,3 +16,5 @@ def test_policy_checks_glibc(): | |||
assert policy > POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"GLIBC_999"}}) | |||
assert policy == POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"OPENSSL_1_1_0"}}) | |||
assert policy == POLICY_PRIORITY_HIGHEST |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since `OPENSSL_1_1_01 isn't in the whitelist, I might have expect this to give POLICY_PRIORITY_LOWEST, but perhaps there's something I'm not thinking of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I don't understand the policy priorities so I have no idea if this assertion is correct!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rmcgibbo: So the policy whitelist only applies to GCC*/CXX* symbol versions (see auditwheel/policy/policy.json
for the full list). Any other symbol version will automatically satisfy the highest policy. If that wasn't the case, then no external dependency symbols (e.g. OPENSSL_1_1_0
, KERBEROS_5_MIT
) would satisfy the manylinux1 requirements.
Does auditwheel with this patch repair your openssl-linked wheel properly? |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me! Thanks for the fix; I didn't review the fix in #54 earlier, so I missed that it broke this type of symbol version check.
I am requesting one additional test, if that's alright.
@@ -24,7 +24,7 @@ def policy_is_satisfied(policy_name: str, | |||
required_vers = {} # type: Dict[str, Set[str]] | |||
for symbols in versioned_symbols.values(): | |||
for symbol in symbols: | |||
sym_name, _ = symbol.split("_", 2) | |||
sym_name, _ = symbol.split("_", 1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay fixing off by 1 error.
@@ -14,3 +16,5 @@ def test_policy_checks_glibc(): | |||
assert policy > POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"GLIBC_999"}}) | |||
assert policy == POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"OPENSSL_1_1_0"}}) | |||
assert policy == POLICY_PRIORITY_HIGHEST |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rmcgibbo: So the policy whitelist only applies to GCC*/CXX* symbol versions (see auditwheel/policy/policy.json
for the full list). Any other symbol version will automatically satisfy the highest policy. If that wasn't the case, then no external dependency symbols (e.g. OPENSSL_1_1_0
, KERBEROS_5_MIT
) would satisfy the manylinux1 requirements.
@@ -14,3 +16,5 @@ def test_policy_checks_glibc(): | |||
assert policy > POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"GLIBC_999"}}) | |||
assert policy == POLICY_PRIORITY_LOWEST | |||
policy = versioned_symbols_policy({"some_library.so": {"OPENSSL_1_1_0"}}) | |||
assert policy == POLICY_PRIORITY_HIGHEST |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind adding one more test asserting SYMBOLWITHOUTUNDERSCORES
satisfies POLICY_PRIORITY_HIGHEST
or something similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will in fact fail since the assignment assumes 2 values. Is it possible for a symbol to be entirely unversioned? I guess the answer to that is likely to be yes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, symbols can be unversioned. The symbol version spec is very handwavey. We should probably change the way we're handling that split such that we only get the first value it returns (rather than trying to do a tuple unpack).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use partition
here to do this. I'll swap it.
@rmcgibbo Do you mind cutting a release for this? I would if I had access :) |
@ehashman - I guess you mean pypi access? Sounds like a good idea to me. Thanks for all the work so far. |
Yeah, tagging and uploading a release to PyPI. I don't know what the process is so I figured I'd ask. |
@ehashman: what's you username on pypi.org? |
I am also ehashman there. |
The release procedure I've used so far is pretty simple.
|
@ehashman: great. you should be listed as an auditwheel maintainer on pypi.org now. |
Released. |
Excellent - thanks. |
And I just submitted the PR to rev the manylinux docker images: pypa/manylinux#116 @ehashman: just so you know what's going on here – the manylinux docker images are always install the latest auditwheel from PyPI when they're re-built, but they only get re-built when a commit lands in the pypa/manylinux master branch (which happens via a magic travis job that pushes the new images to quay.io). Generally we follow the one-person-submits-PR, different-person-hits-merge model. As a member of the "manylinux team" you should have write access to the manylinux repo, so you could hit merge, or in the future if you do another auditwheel release it might make sense to submit a PR like this as part of the release checklist. It suddenly occurs to me that we might be able to trick requires.io into submitting these PRs for us, even though it doesn't really fit their normal model... |
@njsmith Travis has a beta feature where you can set up scheduled builds now too, so it might make sense just to have it rebuild and push to quay every day? If nothing has changed then all the layers will be identical and it will essentially be a noop. |
@reaperhulk: Interesting point. I suppose a 0-24 hour delay in getting new auditwheels into the docker image wouldn't be a big deal... in theory it's nice to be quick, but it's not like we've been reliably quick with the current system either! Nightly builds would also start failing immediately as soon as one of our dependencies breaks (e.g. openssl releases a new version and moves the old one, or when centos5 went EOL and they moved the repo). I'm not 100% sure whether this is an advantage or disadvantage :-). I suppose this wouldn't hurt anything, just might mean annoying email for whoever is configured to get those. Maybe we wouldn't even notice at all :-). |
Fixes #72. I'm unsure if this test is useful so let me know if I should be doing something different.