python package: pyo files

[Toshio Kuratomi]

On Wed, 2006-08-09 at 16:54 -0400, Jesse Keating wrote:
> On Wednesday 09 August 2006 16:45, Jeremy Katz wrote:
> > On Wed, 2006-08-09 at 13:32 -0400, Konstantin Ryabitsev wrote:
> > > On 8/9/06, Jeremy Katz <katzj at redhat.com> wrote:
> > > > They need to be present so that things can end up with the correct
> > > > SELinux context -- otherwise, if you run a python app with -O2 as a
> > > > user, you end up getting various avc denials
> > >
> > > So, what does that mean in terms of %ghost?
> >
> > That it's not a good idea and the .pyo files should just be included in
> > the package
> 
> This is reason enough for me to amend the Python packaging rule for this.
> 
> If you want .pyo, do it when building and package them up.
> 
Err.  I think you're misunderstanding.  End-users (well, the root user
on the consumer's system) can generate .pyos by running  python -O
PROGRAM or PYTHONOPTIMIZE="yes" PROGRAM.  This is because python will
create the byte compiled files automatically when it is run.

So the packager has to either include the .pyos or %ghost the pyos to
solve that.  The packager can't make the decision to not deal
with .pyo's at all.

Jeremy's position is that in the case where an end-user has
PYTHONOPTIMIZE set and SELinux enabled, they are going to generate
extraneous AVC denials in the logs.  So packages should all include
the .pyos, not ghost them.

My position is that it's expected behaviour for python to attempt to
create the .pyos so SELinux policy should be adapted to not log an error
when that happens and %ghosting should be fine.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060809/2178f867/attachment.sig>