ENB: Distribution challenges

61 views
Skip to first unread message

Edward K. Ream

unread,
Mar 18, 2024, 5:43:22 PM3/18/24
to leo-editor

This Engineering Notebook post briefly summarizes the challenges in distributing Leo on pypi.


PRs #3834 and #3835 (both drafts) contain the relevant code.


New security restrictions


All files uploaded to pypi and testpypi must have unique filenames and contents.


These new constraints are reasonable. Code repositories such as GitHub and pypi are under continuous, sustained, sophisticated attacks from state-sponsored terrorists. The goal is to insert malware in legitimate software such as Leo.


These new constraints require new scripts. A few hours of experience showed that new scripts are mandatory. I now have private scripts called build-leo, upload-leo, install-leo and uninstall-leo. These scripts will eventually become part of the leo/scripts directory.


Further work


- Automatically create unique filenames using public version ids. The build script might use a private helper file in my home directory.


Automatically insert a timestamp in leoVersion.py. This timestamp will ensure that the contents of each build will be unique.


The build script (or a helper) will update these ids and timestamps without changing Leo's version number. PR3 uses a version number of 6.7.8.1, but that's likely a temporary expedient.


Bugs


I yanked Leo 6.7.8 from pypi because the Python wheel was dangerous: it sprayed the sub-folders of the leo-editor/leo folder inside Python's site-packages folder!! Happily, `pip uninstall leo` undid the damage!


I am cycling between two bugs. The first creates no "leo" package in the "site-packages" folder; the second damages "site-packages" as described above.


Presumably, pyproject.toml needs only a tweak, but I'm tearing out my hair trying to find it!


Summary


Right now, `pip install leo` installs Leo 6.7.7, not Leo 6.7.8. The bugs described above are release blockers.


It is no longer possible to create or debug pypi distributions without using helper scripts. Those scripts are my next project.


I would greatly appreciate help debugging either PR. My guess is that pyproject.toml needs only a tweak, but finding that tweak has not been easy!!!


Edward


P.S. Both PRs remove setup.py. That's not strictly necessary, but removing setup.py should simplify distribution in the long run.


EKR



Edward K. Ream

unread,
Mar 19, 2024, 6:05:48 AM3/19/24
to leo-editor
On Monday, March 18, 2024 at 4:43:22 PM UTC-5 Edward K. Ream wrote:

This Engineering Notebook post briefly summarizes the challenges in distributing Leo on pypi.


In this kind of challenging project, I look for small gains. Here are today's:


Test locally


Aha/Doh: test my wheel file without using testpypi:


python -m pip install c:\Repos\leo-editor\dist\leo-6.7.8.1-py3-none-any.whl


Use the wheel-inspect package


The following command shows that the 6.7.7 wheel includes a "leo" module:


python -m wheel_inspect dist\leo-6.7.7-3-py3-none-any.whl >c:\Users\Dev\wheel-inspect-6.7.7.txt


A similar command shows that the 6.7.8 wheel does not include the "leo" module. I suspected as much, but now I know for sure.


Summary


Inspecting a wheel shows whether installing from that wheel has any chance of working.


There is no point in uploading a wheel file until a local install works.


The next task: tell the .toml file to include the "leo" module :-)


Onward!


Edward

Edward K. Ream

unread,
Mar 19, 2024, 9:35:04 AM3/19/24
to leo-e...@googlegroups.com
On Tue, Mar 19, 2024 at 5:05 AM Edward K. Ream <edre...@gmail.com> wrote:

> In this kind of challenging project, I look for small gains. Here are today's:


And one more. Now that I can test locally, there is no need for a timestamp. Indeed, the .toml file will be different, so the overall hash will be different too.


So the project is getting simpler.


Edward

Thomas Passin

unread,
Mar 19, 2024, 10:03:06 AM3/19/24
to leo-editor
On Monday, March 18, 2024 at 5:43:22 PM UTC-4 Edward K. Ream wrote:

This Engineering Notebook post briefly summarizes the challenges in distributing Leo on pypi.


I would greatly appreciate help debugging either PR. My guess is that pyproject.toml needs only a tweak, but finding that tweak has not been easy!!!


If it would  help, once everything is working locally for you on Windows I could try it out on several Linux VMs.

Edward K. Ream

unread,
Mar 19, 2024, 1:04:03 PM3/19/24
to leo-e...@googlegroups.com
On Tue, Mar 19, 2024 at 9:03 AM Thomas Passin <tbp1...@gmail.com> wrote:

On Monday, March 18, 2024 at 5:43:22 PM UTC-4 Edward K. Ream wrote:

I would greatly appreciate help debugging either PR. My guess is that pyproject.toml needs only a tweak, but finding that tweak has not been easy!!!


At last I have found the key. The .toml file needs only to specify this:

[tool.setuptools]
packages = [
    "leo",
]

This creates a proper wheel. However, right now (to avoid dozens of warnings) the .toml file specifies dozens of other "pseudo-packages". I'll try to avoid listing all those packages later today or tomorrow.

If it would  help, once everything is working locally for you on Windows I could try it out on several Linux VMs.

Thanks for the offer! I'll take you up on it soon.

Edward

Edward K. Ream

unread,
Mar 20, 2024, 12:15:05 PM3/20/24
to leo-editor
On Monday, March 18, 2024 at 4:43:22 PM UTC-5 Edward K. Ream wrote:

This Engineering Notebook post briefly summarizes the challenges in distributing Leo on pypi.


Here is an update and summary:

- PR #3835 contains the latest code.
- pypi checks the version in PKG-INFO.TXT matches the version in the uploaded file!
  This check (practically) guarantees that the contents (hash) of Leo's contents are unique.
- The first comment of this PR contains the scripts I use.
  I'll update these scripts in Leo 6.7.9, not in Leo 6.7.8.
- Testing locally using the install-leo and uninstall-leo is (practically) mandatory.
  Everything, including filenames, must be perfect before uploading to testpypi or pypi.
- Using testpypi is (practically) mandatory.
  Otherwise, any glitch will require a new version number, a new PKG-INFO.TXT, and a new filename!

Summary

- I'm comfortable with the release process, but this process depends on my semi-private scripts.
- Leo 6.7.9 will contain an updated distribution checklist and several new scripts. See #3836.
- This post will be pre-writing for a new info item.
- I'll release another version of Leo 6.7.8 in the next day or two.

Edward

Edward K. Ream

unread,
Mar 21, 2024, 5:58:41 AM3/21/24
to leo-editor
On Wednesday, March 20, 2024 at 11:15:05 AM UTC-5 Edward K. Ream wrote:

> This post will be pre-writing for a new info item. 

See #3837: How to create pypi distributions. I'll update this item as necessary.

The "workflow" section should convince you that scripts are necessary.

Edward
Reply all
Reply to author
Forward
0 new messages