Review of kdev-python for move to extragear

Sven Brauch svenbrauch at googlemail.com
Wed Dec 26 17:40:05 GMT 2012 

2012/12/26 Sune Vuorela <nospam at vuorela.dk>:
> On 2012-12-25, Sven Brauch <svenbrauch at googlemail.com> wrote:
>> Also, I'm still not sure what exactly concerns you about security and
>> maintenance. Problems I see include increased build time, and
>> maintenance efforts for me personally in updating the fork, but none
>> really seem fatal. Can you elaborate a bit about which problems you
>
> One of the problems are that in a distribution like debian and/or
> ubuntu has around 60-70 patches against python2.7 to ensure it builds
> and works everywhere.
> All these patches might also be needed the extra copy - and given the
> extra copy is modified, then these patches might need to be adapted.
>
> Another of the problems is that if there is a security bug in libpython,
> then instead of just doing a security fix to python, one also needs to
> do one to kdev-python.
>
> The first problem is large amount of work for the distribution
> packagers, and the second problem is quite annoying for distribution
> security teams.
>
> All of this applies to every embedded library. And python is a quite big
> thing.
>
> /Sune

Hi,

kdev-python does not really ship with a custom version of python which
is used for various things; for example the interpreter or even
standard library is not being used. Only the parser code from the
libpython.so library is being called, everything else is just there as
basically a build dependency for the parser stuff. Thus, the chances
of it not working somewhere (due to path problems, runtime
dependencies, ...) are hopefully slim.
How often is there security bugs in parser code? I don't know, but I'd
guess it's not something that happens every other day. For security
issues anywhere else (e.g. standard library modules such as xml parser
stuff or whatever), they don't really matter since they can't ever be
executed.

I do agree that the soluton is not very elegant at any rate, but I'm
still very much at loss for a better idea. If anyone can come up with
something good, I'd spend the time to change it, but writing a custom
parser... phew.

Greetings,
Sven

More information about the kde-core-devel mailing list