[...]
I thought I could address this issue by replacing the vendored copies
of the library modules by symlinks to /usr/lib/python3.X/, but now
I've hit another snag: some of these modules import other modules.
For example:
pydev_imps/_pydev_SimpleXMLRPCServer.py
is a very old version of /usr/lib/python3.X/xmlrpc/server.py. It
contains within it the following lines:
from _pydev_imps import _pydev_xmlrpclib as xmlrpclib
from _pydev_imps._pydev_xmlrpclib import Fault
from _pydev_imps import _pydev_SocketServer as SocketServer
from _pydev_imps import _pydev_BaseHTTPServer as BaseHTTPServer
[...]
Perhaps another possibility is to have symlinks in the _pydev_imps
directory to the standard library versions and then temporarily modify sys.path to look in _pydev_imps before looking in standard locations.
I don't know whether this will work, though.
I realise now that this "nice" solution won't work, as the standard
library code says:
import socketserver
so modifying sys.path will just change the value of sys.modules["socketserver"]. However, the vendored code instead loads
this module to sys.modules["_pydev_imps._pydev_SocketServer"] or
something like that, deliberately avoiding interfering with sys.modules["socketserver"].
I realise now that this "nice" solution won't work, as the standard
library code says:
import socketserver
so modifying sys.path will just change the value of sys.modules["socketserver"]. However, the vendored code instead loads
this module to sys.modules["_pydev_imps._pydev_SocketServer"] or
something like that, deliberately avoiding interfering with sys.modules["socketserver"].
It seems to me that the "correct" solution would be to motivate upstream
not to vendor anything in their source tree. If they really need
vendoring to avoid compatibility issues with various environments, they should do so only when building releases. It still wouldn't solve the
problem of incompatible system modules, but at least it would make it
clearer which versions they require and why.
Perhaps they have a maintenance script for updating the vendored dependencies? You could use that to find out how to reverse the changes,
or start from a clean slate?
So the solution I'm currently in the process of trying is to copy the
version from the oldest supported Python version at Debian package
build time. We'll see how this goes....
Perhaps they have a maintenance script for updating the vendored
dependencies? You could use that to find out how to reverse the changes,
or start from a clean slate?
Unlikely; some of their vendored dependencies date back to Python 2.5!
So the solution I'm currently in the process of trying is to copy the version from the oldest supported Python version at Debian package
build time. We'll see how this goes....
Perhaps they have a maintenance script for updating the vendored
dependencies? You could use that to find out how to reverse the changes, >> or start from a clean slate?
Unlikely; some of their vendored dependencies date back to Python 2.5!
In that case, I think this is the issue that must be solved first:
Ensuring that their code is compatible with the *latest* published
version, and vendoring the system version at build time.
Not a good solution, since it will still leave the system vulnerable
when one of the dependencies gets a security update, but better than
shipping a static version that might have numerous issues and will no
longer receive any patches.
The alternative would be that they take full responsibility for their vendored code, but then it will be much harder to detect when they're affected by a vulnerability.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 349 |
Nodes: | 16 (3 / 13) |
Uptime: | 106:48:50 |
Calls: | 7,612 |
Calls today: | 3 |
Files: | 12,786 |
Messages: | 5,682,994 |
Posted today: | 2 |