FormAlchemy Debian package
Arnaud Fontaine
I'm currently working on packaging FormAlchemy for Debian. It includes a
modified version of Tempita in formalchemy/tempita, however this is not
really recommended for security reasons and also when a new version will
be released. Thus, I'm wondering if it would be possible to depend on
Tempita module rather than including it directly in the source code?
Cheers,
Arnaud Fontaine
Jonathan Ellis
templates.py imports tempita like this
# put tempita on the path
sys.path.append(os.path.split(os.path.abspath(__file__))[0])
from tempita import Template as TempitaTemplate
So if you have tempita installied in site-packages already or
somewhere else on the patch simply "from tempita import" should work
fine. (The sys.path munging would then be irrelevant but harmless.)
-Jonathan
Arnaud Fontaine
Hello,
> We include tempita as an svn:external, so it's not actually a
> modified version. templates.py imports tempita like this
> # put tempita on the path
> sys.path.append(os.path.split(os.path.abspath(__file__))[0]) from
> tempita import Template as TempitaTemplate
> So if you have tempita installied in site-packages already or
> somewhere else on the patch simply "from tempita import" should
> work fine. (The sys.path munging would then be irrelevant but
> harmless.)
There is also the following import in ext/pylons/admin.py:
From formalchemy.tempita import Template
It is not a modified version, well you are right ;). But why do you ship
it with formalchemy module? Why don't you simply
depend/suggest/recommend on it? I understand that it is harmless about
templates.py but well it still requires patching setup.py to get rid of
tempita...
Regards,
Arnaud Fontaine
Jonathan Ellis
> It is not a modified version, well you are right ;). But why do you ship
> it with formalchemy module? Why don't you simply
> depend/suggest/recommend on it?
When we started one goal was to avoid external dependencies except on
SQLAlchemy. It was relatively painless to include tempita this way so
it seemed to make sense to continue supporting that goal.
-Jonathan
Arnaud Fontaine
> When we started one goal was to avoid external dependencies except
> on SQLAlchemy. It was relatively painless to include tempita this
> way so it seemed to make sense to continue supporting that goal.
Well, if it does not depend on it but rather suggests it, it does not
add an external dependencies. Furthermore, including a module directly
is not recommended at all, mainly because of security issues and
bugs. Isn't it possible to do like mako?
Cheers,
Arnaud
Jonathan Ellis
you say "just install mako" :)
Alexandre Conrad
sees another templating engine being installed, he get's pissy.
At the same time, I must agree with Arnaud that checking out Tempita
as svn:external and keeping it under our source tree makes us
responsible for maintaining it. Suppose a security issue is introduced
in Tempita+FA and Tempita gets quickly released with a fix, the
end-user installing the fixed debian package "python-tempita" won't
have his issue fixed in FA (at least if the Tempita package is already
installed by another package as FA doesn't depend on it). Then the FA
debian packager, Arnaud, would need to port the fix to FA. It's
redundant work.
Having Tempita included in our source tree was done to lower FA's
adoption barrier.
Regards,
Alex
2009/5/19 Jonathan Ellis <jbe...@gmail.com>:
Jonathan ellis
add a deb dependency for python-tempita then ours will be ignored
since it is later in the path.
-Jonathan
On May 19, 2009, at 2:05 AM, Alexandre Conrad <alexandr...@gmail.com
Alexandre Conrad
Arnaud Fontaine
Hi,
Sorry to answer to this thread so late ;).
> Well, that is why I explained the whole import thing -- if you
> just add a deb dependency for python-tempita then ours will be
> ignored since it is later in the path.
I understand your point, but there is still an issue in
ext/pylons/admin.py because it does the following whereas the
formalchemy debian package for example does not contain tempita:
From formalchemy.tempita import Template
Moreover, in forms.py, it is stated that tempita is included as
formalchemy.tempita.
Anyway, I understand that it may be easier for users to have tempita
included, but well, I guess that most users would rely either on:
1/ distribution package, in that case, the vendor would get rid of the
module included in formalchemy package for the reasons I mentiond
earlier.
2/ eggs to easily installed the modules with its (possible)
dependencies.
Therefore, I can't understand why you keep it in formalchemy source
because it adds more work to both you because you have to update the the
modules and distribution packagers because we have to patch the
source...
Cheers,
Arnaud
Gaël Pasgrimaud
>>>>>> Jonathan ellis <jbe...@gmail.com> writes:
>
> Hi,
>
> Sorry to answer to this thread so late ;).
>
> > Well, that is why I explained the whole import thing -- if you
> > just add a deb dependency for python-tempita then ours will be
> > ignored since it is later in the path.
>
> I understand your point, but there is still an issue in
> ext/pylons/admin.py because it does the following whereas the
> formalchemy debian package for example does not contain tempita:
>
> From formalchemy.tempita import Template
>
I think this is not used anymore. I'll try to remove it.
> Moreover, in forms.py, it is stated that tempita is included as
> formalchemy.tempita.
>
> Anyway, I understand that it may be easier for users to have tempita
> included, but well, I guess that most users would rely either on:
>
> 1/ distribution package, in that case, the vendor would get rid of the
> module included in formalchemy package for the reasons I mentiond
> earlier.
>
> 2/ eggs to easily installed the modules with its (possible)
> dependencies.
>
> Therefore, I can't understand why you keep it in formalchemy source
> because it adds more work to both you because you have to update the the
> modules and distribution packagers because we have to patch the
> source...
>
I also think that we should remove it and add tempita as a dependencie
in setup.py
--
Gael