#700 Globally ban use of /usr/bin/env in executables
Closed: accepted 2 years ago Opened 2 years ago by tibbs.

The problems that python has with /usr/bin/env aren't really limited to python; you can break a bunch of packaged applications by linking ~/ruby to /bin/true, for example. And really this should never happen.

So I would like to propose that we ban 'env' in #! lines throughout the distribution. There is no excuse for system-installed application to break because I created some file in ~/bin. Here's a quick draft of a new section for the main guidelines, probably down near the end (because I can't think of a better place to put it):

Shebang lines

When packaging script files, where the interpreter to be used is specified in the first line of the script (the shebang line) following #!, the following rules apply:

  • env, /bin/env and /usr/bin/env MUST NOT be used. Packaged applications cannot depend upon what the user has in their personal $PATH.
  • RPM will automatically extract dependencies from the shebang lines.
  • Files which are not installed as executables SHOULD NOT have shebang lines.
  • Language-specific guidelines may have additional restrictions.

(proposal ends)

The third bullet point codifies what we have been doing in package review for some time because rpmlint warns about it but if it's controversial I'm happy to remove it. Honestly I am not sure of when RPM will extract dependencies from shebang lines; I don't know if it will do so for all files or if those files must be executable.

Currently on rawhide 1277 packages have a dependency on /usr/bin/env. The practice is common with both Python and Ruby programmers, it seems, so these things are all over the distribution.


Metadata Update from @tibbs:
- Issue tagged with: meeting

2 years ago

It would be nice if:

  1. there was some macro to fix this.
  2. this was done automatically by RPM with possible opt out.

And one think to take in mind is that there are quite some packages in Ruby, which ships generators. People should not change the shebangs in templates. Neither they should remove shebangs from them, if they are not executable.

I've met templates with such shebangs as well. Templates should probably get an exception.

Second bullet point seems more informational than a "rule" to be followed.

We discussed this at this weeks meeting (https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-08-09/fpc.2017-08-09-17.00.txt):

  • x698 Forbid the use of /usr/bin/env in executables (geppetto, 17:30:53)
  • ACTION: Forbid the use of /usr/bin/env (+1:6, 0:0, -1:0)

Metadata Update from @james:
- Issue untagged with: meeting
- Issue tagged with: writeup

2 years ago

17:35:12 <tibbs> Not sure what they mean by templates, really.

For example Bundler can generate scaffold for new gem and here are the templates:

https://github.com/bundler/bundler/tree/master/lib/bundler/templates/newgem

You can explore the 'bin' and 'exe' directories and you'll see the template files which contain shebangs.

As an aside, I still couldn't find a good place to put this. I guess I need to get back in there and do some more work on rearranging the order of things in the big guidelines page to make a little more sense.

Announcement text:

A new section was added to the packaging guidelines regarding shebang lines. It forbids the use of 'env' and codifies the longstanding rpmlint rule that non-executable files should not have shebang lines.

Metadata Update from @tibbs:
- Issue untagged with: writeup
- Issue tagged with: announce

2 years ago

Metadata Update from @tibbs:
- Issue untagged with: announce
- Issue close_status updated to: accepted
- Issue status updated to: Closed (was: Open)

2 years ago

The wiki markup there is broken, is uses markdown for code.

Login to comment on this ticket.

Metadata