#493 Bundling exception: python-execnet bundles python-apipkg
Closed: Fixed None Opened 4 years ago by ktdreyer.

'''High-level summary:''' python-execnet bundles the python-apipkg library. Both libraries are developed by the same author. The author insists that apipkg is a copylib.

== History in Fedora ==

python-execnet was packaged in Fedora first, and python-apipkg was accepted into Fedora later.

When python-apipkg was accepted, the python-apipkg maintainer (Ian Weller) filed a bug to unbundle python-apipkg from python-execnet: https://bugzilla.redhat.com/790165

After Ian filed his bug, the execnet maintainer (Thomas Moschny) filed the bug report upstream: https://bitbucket.org/hpk42/execnet/issue/13

The upstream author insisted that apipkg was a copylib and closed the upstream bug as "wontfix".

== Bundled library Q&A ==

Below are the standard form questions.

'''Has the library behaviour been modified? If so, how has it been modified?'''

Originally execnet contained an older version of apipkg.py, but the upstream author has synchronized all all the changes. No modifications remain, but the library remains copied.

(Note that the upstream author for both libraries is the same person.)

'''Why haven't the changes been pushed to the upstream library?'''

(Question does not apply - there are no changes to synchronize.)

'''Have the changes been proposed to the Fedora package maintainer for the library? In some cases it may make sense for our package to take the changes despite upstream not taking them (for instance, if upstream for the library is dead).'''

(Question does not apply - there are no changes to synchronize.)

'''Could we make the forked version the canonical version within Fedora? For instance, if upstream for the library is dead, is the package we're working on that bundles willing to make their fork a library that others can link against?'''

No, I think it makes sense to keep python-apipkg as it is. It doesn't get many updates, and Holger seems to be keeping both projects alive as far as I can tell.

'''Are the changes useful to consumers other than the bundling application? If so why aren't we proposing that the library be released as a fork of the upstream library?'''

(Question does not apply - there are no extra changes to for consumers to consume.)

'''What is the attitude of upstream towards bundling? (Are they eager to remove the bundled version? are they engaged with the upstream for the library? Do they have a history of bundling? Are they argumentative?)'''

The upstream author sees no point in removing the bundled python-apipkg code, and as described in the upstream bug report, since execnet executes across hosts, he claims it would break if a dependency were to be introduced. Holger has declared apipkg.py to be a copylib in the apipkg package documentation on PyPI: https://pypi.python.org/pypi/apipkg/1.2

'''Overview of the security ramifications of bundling'''

When a CVE is found in apipkg, we will need to update both python-apipkg and python-execnet in Fedora.

Since it is the same upstream author for both Python projects, coordination should not be as hard as if the two upstream projects were managed separately.

'''Does the maintainer of the Fedora package of the library being bundled have any comments about this?'''

Ian Weller has filed the bug https://bugzilla.redhat.com/790165 and we did not hear any more comments from him. I would welcome Ian's thoughts on this ticket here or in the original BZ.

'''Is there a plan for unbundling the library at a later time? Include things like what features would need to be added to the upstream library, a timeline for when those features would be merged, how we're helping to meet those goals, etc.'''

There is no concrete plan or timeline to unbundle apipkg.

'''Please include any relevant documentation -- mailing list links, bug reports for upstream or the bundled library, etc.'''

"python-execnet should unbundle apipkg" : https://bugzilla.redhat.com/790165

Upstream report of the same: https://bitbucket.org/hpk42/execnet/issue/13


In the interest of "Staying Close to Upstream", the least-worst option is to permit a bundling exception.

I just commented in the upstream report, how ipython did the unbundling stuff.

Maybe that's also an option for upstream as they can still bundle it in their releases and it is easy to unbundle for Fedora.

We discussed this at today's meeting (​​​http://meetbot.fedoraproject.org/fedora-meeting-1/2015-01-22/fpc.2015-01-22-17.01.txt), and tomsput said he'd try to help you out for the next meeting:

Further unbundling requires a [https://bugzilla.redhat.com/show_bug.cgi?id=1185059 python3-apipkg] package.

How about granting a temporal exception until that has happened?

We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2015-02-19/fpc.2015-02-19-17.00.txt):

  • 493 Bundling exception: python-execnet bundles python-apipkg

    (geppetto, 17:23:12)
  • LINK: https://fedorahosted.org/fpc/ticket/493 (geppetto, 17:23:35)
  • ACTION: apipkg is in rawhide, check back if you need anything else.
    If we don't hear anything we'll close the ticket in a few weeks.
    (geppetto, 17:32:17)

Well, no further updates here, so closing as promised. Feel free to reopen if there's something you need us to do.

Metadata Update from @james:
- Issue assigned to tibbs

2 years ago

Login to comment on this ticket.