[Pkg-puppet-devel] [SCM] Packaging of Facter for debian branch, master, updated. debian/1.5.6-1-3-gf695058
Nigel Kersten
nigel at explanatorygap.net
Tue Jul 7 15:56:09 UTC 2009
On Tue, Jul 7, 2009 at 8:37 AM, Micah Anderson<micah at riseup.net> wrote:
> * Nigel Kersten <nigel at explanatorygap.net> [2009-07-07 10:20-0400]:
>
>> >> I also have a few issues with using #!/usr/bin/env in general, be it Ruby or
>> >> Python. We really want to avoid situations where the user having root on
>> >> their desktop manages to break Puppet before it has a chance to rectify
>> >> things.
>> >
>> > I don't really follow this logic because a user having root can break
>> > all kinds of stuff that you can't possibly protect against in the
>> > package, and just arbitrarily protecting against this one thing seems
>> > odd.
>>
>> For me it's not so much protecting against things as it is taking
>> advantage of a package management system.
>>
>> If you install facter or puppet, you're going to also pull in all the
>> dependencies. Ruby, relevant gems, etc etc.
>
> You do not pull in relevant gems via the package system. Perhaps you
> mean to say relevant ruby libraries?
yep. :)
>
>> If you use an env shebang, you're no longer sure whether the ruby
>> runtime you're invoking actually provides all the required
>> dependencies.
>
> Depends on who you are talking about, and I believe its trivial to test
> which ruby runtime you are actually invoking if it is an issue...
>
>> "If a maintainer would like to provide the user with the possibility
>> to override the Debian Python interpreter, he may want to use
>> /usr/bin/env python or /usr/bin/env pythonX.Y. However this is not
>> advisable as it bypasses Debian's dependency checking and makes the
>> package vulnerable to incomplete local installations of python. "
>
> I think the inadvisable thing they are referring to here is *not* the
> use of '/usr/bin/env python', but rather the use of '/usr/bin/env
> pythonX.Y'. I believe this is worded somewhat ambiguously so it could be
> taken that way, but I think that only the latter bypasses Debian's
> dependency checking, not the former. Unless I am wrong?
Well lets look at it in practice.
If you have a shebang of /usr/bin/env {python,ruby}, are you not still
vulnerable to incomplete local installations of {python,ruby} ? That's
the sense in which I'm reading it.
>> I don't think it's advisable, and if it comes down to a vote amongst
>> us, my vote is in favor of an explicit, non-env shebang.
>
> Like I said before, if ya'll want that, I'm not going to stop you from
> doing it. I am not particularly convinced of the merit of the arguments,
> but don't find that the counter-arguments are worth the resistance.
I'd like to convince you :)
>
> micah
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQIcBAEBCgAGBQJKU2vMAAoJEIy/mjIoYaeQ5uUQAJvikFCVt6slsKQoeDsfumdf
> PPSKKGmtk1cnMAwkM+exUVq/JfEvchSbAnCaBx6JZnHoQUo84qHUT4sYbAqbZm42
> fhjemv9nRO7a71RmKTASnE76ijSkG0d2bYQ+nuvcElw8322iw7ScVtK5UTxsIb2u
> Q79TPAAg4ohqonrfuHCw/WHMSUFETrkMLBbb91lE7fpKvWCCNaSQu1PAAv3W2bZG
> 3Yu69Gft24wrvsKlby7pvbjXTpiMhnXUln1aYz2BdHrGiD+TIUT03erHsKLJ9u/E
> ATJBEdwGVf0bR/BIYo40IHMIu2sVKRD6tKzqkwf0Wgqjt72Qu0+DOeK3GABtwCTT
> QDemfINxSxo79KxJWqTekBvvZ8og8w8iVZkhQtF6hw5NpGbqQGacwekJ68NCRU2e
> p8BWFvL8mynLiePW6QmP7q3A5VEnHtMpxipqLtyV+ldbX4BheqUMLQ8EKcOb3dD/
> IP3jdVAmXw53BcWY0BjhQhOcdMdY+v7/MFNqbtmrMaUHKZKqhOlh4+BmKxSikFd8
> sb0D6LHvDphRztf3qO7k7FnoNg2bHs9itpH73nHEJECEBD1R3XOwCYivv4UV1/t6
> 7xaPVVQk45AAClOpq6UR49WzqUCgXj3zYZZjaywA6i+96LHpSEF8TJgGIMLZMPx3
> 8WTv8A1hgxcHTYKwt4TT
> =wgXW
> -----END PGP SIGNATURE-----
>
>
More information about the Pkg-puppet-devel
mailing list