Provide smaller package by specifying dependencies #831
Comments
|
Why? |
|
Why not? :) It's a security risk to have such a large number of libraries bundled with the application (someone could easily swap out a library for a malicious library), and having it depend on packages of a linux distribution opens the way for allowing it to be distributed as part of the packaging system, or at least via something like pip -- both would make it easier to upgrade, and the former would offer better security (e.g. signed packages, security audits, etc.). If your concern is with making it generally accessible for all linux distributions, then you could use something like flatpak or snap. Does that make sense? |
|
The windows builds we distribute are all signed and the macOS builds are signed and notarized. Without signing some features do not work under macOS for lack of access to certain APIs, same might happen soon on Windows. I am not too much into Linux, but the Artisan build process is complex due to the different nature of packages used. Not all are available on pip, some need compilation from source. Not sure how to distribute this in an "unbundled" way such that a user ends up with a clickable app. It might be just my lack of knowledge and talent on the Linux side that hinders an improvement here. Could you make a suggestion? |
|
I think it makes more sense for someone familiar with a particular Linux distro to do the packaging. I use Debian, so I am more familiar with its packaging than I am with other distros. Debian packages are often packaged by a Debian contributor, not the upstream developer. I wouldn't expect a developer to become familiar with all Linux distros' packaging systems. There are Artisan AppImages available already, those should run on most distros. Edit to add: I use the provided deb package that includes the dependencies. It works fine on Debian stable (bullseye). Some of the dependencies it includes are not available from the stable repository (PySide6 for one), so if it didn't include dependencies, I would have to either use an older version of artisan or try to get the newer dependencies installed myself. |
|
I agree with the idea that distro-specific packaging should be handled by
people familiar with the specific packaging system. Perhaps in this case
what would be ideal is to publish Artisan on PyPI, specifying all
dependencies so that it can be installed via pip (without needing to bundle
libraries as part of the distribution). If it can be installed with pip,
then this should make it easier for people to create distro-specific
packages.
I have created a requirements file that seems to work for Linux, if that
would be helpful.
…On Thu, Apr 7, 2022, 2:12 PM Mark Penner ***@***.***> wrote:
I think it makes more sense for someone familiar with a particular Linux
distro to do the packaging. I use Debian, so I am more familiar with its
packaging than I am with other distros. Debian packages are often packaged
by a Debian contributor, not the upstream developer. I wouldn't expect a
developer to become familiar with all Linux distros' packaging systems.
There are Artisan AppImages available already, those should run on most
distros.
—
Reply to this email directly, view it on GitHub
<#831 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADAE6REOTHDGYHFE6SEXC3VD4QPBANCNFSM5PWBVKRQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Wonder how you manage the installation of the non-pip binary packages like snap in a PyPi. Could you please open a PR with your changes to create and establish a PyPi? |
|
@MAKOMO here's an example that is working for linux in a venv: edgimar@da13837 The following works for me:
If this all works, then it can be tested for Windows and OSX also, and the requirements.txt file adusted as needed to provide platform specific details. Currently the |
|
Closing this as not planned |
The release packages currently bundle together all libraries that artisan depends on. Please consider additionally creating smaller packages that specify package dependencies in order to provide the needed libraries.
The text was updated successfully, but these errors were encountered: