From oscar.j.benjamin at gmail.com Mon Jan 4 09:27:01 2016 From: oscar.j.benjamin at gmail.com (Oscar Benjamin) Date: Mon, 4 Jan 2016 14:27:01 +0000 Subject: [Distutils] Trouble using setuptools to build separate c++ extension In-Reply-To: <56761D38.5010409@gmail.com> References: <56761D38.5010409@gmail.com> Message-ID: On 20 December 2015 at 03:15, Thomas Nyberg wrote: > Hello I'm having trouble understanding the right way to build a c++ module > using setuptools. I've been reading the docs, but I'm confused where I > should be putting my build options. Everything builds fine on its own. I > have my sources in src/ and my headers in include/. > > My first problem is that I'm having trouble figuring out where to put my > build flags. Here is the Makefile I'm currently using: > > -------- > srcs=$(wildcard *.cpp) > srcs+=$(wildcard src/*.cpp) > objs=$(patsubst %.cpp,%.o,$(srcs)) > > cc=g++ > ccflags=-std=c++11 -g -O3 -fPIC > includes=-I. -I./include/ -I/usr/include/python2.7/ -I/usr/include/boost > libflags=-L. -L/usr/lib/x86_64-linux-gnu > ldflags= -shared -Wl,--export-dynamic > > patent_computer_cpp.so: $(objs) > $(cc) $(libflags) $(ldflags) $(objs) -o patent_computer_cpp.so > -lboost_python -lpython2.7 > > %.o:%.cpp > $(cc) $(ccflags) $(includes) -c -o $@ >lt; > -------- > > Unfortunately I can't post the sources, but they compile fine to produce the > `patent_computer_cpp.so` file which can be imported as a module. Maybe I > should also point out that I'm using boost-python (I don't think this is the > issue though). > > I just can't figure out how to get setuptools.Extension to use these build > flags. I've seen recommendations online saying that I should set CFLAGS as > an environment variable and set OPT='' as an environment variable as well, > but this just feels wrong given the simplicity of my setup. (Besides the > shared object doesn't seem to compile correctly in this case.) I've tried > using the extra_compile_args option in setup.py, but that fails. > > Is there a way to avoid setting environment variables like this or is this > the accepted way to build this kind of software? Am I missing some obvious > docs somewhere? Thanks for any help. Hi Thomas, Whether or not what you're currently doing is acceptable really depends. Who needs to install this? Do you know which OS or compiler they will use etc? Are you hoping that this will be installed by pip? The setup.py is supposed to allow the end user a bit of freedom to use different OS/compiler etc. and free up the module author from needing to know exactly where the Python header files and link libraries will be on each platform. OTOH if you are just writing for exactly one platform then what you have may be more convenient and flexible. I would approach this step-by-step to convert that to using setup.py. So the first part is to tell extension about all of the cpp files and get it to use g++ to compile it. The next step is to tell about the additional include locations. The next step is the additional libraries that need linking. There are arguments to Extension and setup for each of these things. The last part is to get the exact right compiler flags. -- Oscar From arstechnica at contractor.net Fri Jan 8 04:18:14 2016 From: arstechnica at contractor.net (ars technica) Date: Fri, 8 Jan 2016 10:18:14 +0100 Subject: [Distutils] Problems using pip on Ubuntu when 2.7, 3.4 and 3.5 are installed Message-ID: An HTML attachment was scrubbed... URL: From leorochael at gmail.com Fri Jan 8 09:43:10 2016 From: leorochael at gmail.com (Leonardo Rochael Almeida) Date: Fri, 8 Jan 2016 12:43:10 -0200 Subject: [Distutils] Problems using pip on Ubuntu when 2.7, 3.4 and 3.5 are installed In-Reply-To: References: Message-ID: Hi Mr(s) Versions, Your "locate" output shows that you have a manual installation of Python 3.4 on /usr/local, and it's possible that "/usr/local/bin" is ahead of "/usr/bin" in your PATH, which is why pip3 installs into Python 3.4. >From your error message with Python 3.5, it seems like your Python 3.5 is a "System Python", i.e., a Python that was installed with the package manager for your system, but that your Python development packages wasn't installed yet. If yours is a Debian style system, you might need to install the "python-dev" or perhaps a "python3.5-dev" package. E.g.: - apt-get install python-dev If your system is Redhat based (Fedora, RHEL (do we already have python3.5 in any RHEL release?)), then you're looking for a "python-devel" or "python3.5-devel" package. Something like: - yum install python-dev Hope it helps. Best regards, Leo On 8 January 2016 at 07:18, ars technica wrote: > Hi, > > thank you for the tutorial here > https://docs.python.org/3.5/installing/index.html > > I have a problem using pip to install packages to 3.5. I now have three > versions installed and pip only addresses the two old ones. > > The command pip installs to 2.7 > pip3 installs to 3.4 and that leaves 3.5 all alone. > > I tried to install numpy with the command > python3.5 -m pip install numpy > > but got the error that Python.h could not be located. When asked bash > *locate* Python.h > it returned > /usr/local/include/python3.4m/Python.h > > > My question therefore is. How do I setup my environment to be able to > install packages to all the Python versions? Should I do a > virtualenvironment for each version or can I change some configuration file > to let PIP know that it should check the Py3.5 folder when desired? > > Best regards, > > lost in versions. > > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Sat Jan 9 04:26:32 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Sat, 9 Jan 2016 19:26:32 +1000 Subject: [Distutils] Problems using pip on Ubuntu when 2.7, 3.4 and 3.5 are installed In-Reply-To: References: Message-ID: On 8 January 2016 at 19:18, ars technica wrote: > Hi, > > thank you for the tutorial here > https://docs.python.org/3.5/installing/index.html > > I have a problem using pip to install packages to 3.5. I now have three > versions installed and pip only addresses the two old ones. > > The command pip installs to 2.7 > pip3 installs to 3.4 and that leaves 3.5 all alone. > > I tried to install numpy with the command > python3.5 -m pip install numpy In the absence of a virtual environment, using "-m" as you have done here is the right way to invoke pip while ensuring it's using the intended Python installation. > but got the error that Python.h could not be located. When asked bash > locate Python.h > it returned > /usr/local/include/python3.4m/Python.h This is where things can get a bit messy, since Linux tends to assume system-wide builds by default. > My question therefore is. How do I setup my environment to be able to > install packages to all the Python versions? Should I do a > virtualenvironment for each version or can I change some configuration file > to let PIP know that it should check the Py3.5 folder when desired? If you're fine with building NumPy from source yourself, then creating a virtual environment for each version should work. However, I believe there may still be some potential to end up running into missing header files for some of NumPy's external dependencies when building for a Python version that wasn't provided by your distro. If you'd prefer to avoid any configuration and debugging of C/C++/FORTRAN build processes, then you may prefer to grab miniconda and download distro-independent pre-built binaries: http://conda.pydata.org/miniconda.html Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From mailtosijojose at gmail.com Wed Jan 13 09:30:51 2016 From: mailtosijojose at gmail.com (Sijo Jose) Date: Wed, 13 Jan 2016 20:00:51 +0530 Subject: [Distutils] Unable to build language-check Message-ID: The language-check (https://pypi.python.org/pypi/language-check)library has the dependency of '*3to2*' in *python 2.7*, In a virtualenv it works fine with pip,that is *pip install 3to2* *pip install language-check* But its failing with easy_install in venv *easy_install 3to2* *easy_install language-check* (It fails) Due to this I'm not able to build my project using *setuptools*. -- *Regards* *Sijo Jose* -------------- next part -------------- An HTML attachment was scrubbed... URL: From erik.m.bray at gmail.com Wed Jan 13 15:54:06 2016 From: erik.m.bray at gmail.com (Erik Bray) Date: Wed, 13 Jan 2016 15:54:06 -0500 Subject: [Distutils] Unable to build language-check In-Reply-To: References: Message-ID: On Wed, Jan 13, 2016 at 9:30 AM, Sijo Jose wrote: > The language-check (https://pypi.python.org/pypi/language-check)library has > the dependency of '3to2' in python 2.7, > In a virtualenv it works fine with pip,that is > > pip install 3to2 > pip install language-check > > > But its failing with easy_install in venv > > easy_install 3to2 > easy_install language-check (It fails) > > Due to this I'm not able to build my project using setuptools. Why do you need to install it with easy_install? pip is the recommended installer for Python packages. Erik From erik.m.bray at gmail.com Thu Jan 14 00:46:58 2016 From: erik.m.bray at gmail.com (Erik Bray) Date: Thu, 14 Jan 2016 00:46:58 -0500 Subject: [Distutils] Unable to build language-check In-Reply-To: References: Message-ID: On Wed, Jan 13, 2016 at 9:30 AM, Sijo Jose wrote: > The language-check (https://pypi.python.org/pypi/language-check)library has > the dependency of '3to2' in python 2.7, > In a virtualenv it works fine with pip,that is > > pip install 3to2 > pip install language-check > > > But its failing with easy_install in venv > > easy_install 3to2 > easy_install language-check (It fails) > > Due to this I'm not able to build my project using setuptools. After trying it myself and looking at the resulting traceback, I see what's going on here. language-check performs some extensive shenanigans to run 3to2 on its code, and somewhere along the line it assumes that 3to2 is installed in a directory. However when you install it with easy_install, it is installed as an egg by default. And since it is marked zip-safe it's installed as a zipped egg file instead of a directory. My recommendation for installing your package is to run `pip install .`, rather than `./setup.py install`, which there is a movement to get away from. Only installing with pip will get you out of a lot of trouble you might run into with easy_install. If you *must* use easy_install run it with -Z, at least when installing 3to2, to make sure it's installed unzipped. You might also raise the issue with the developers of language-check since this is a bug in their setup.py. Best, Erik From njs at pobox.com Thu Jan 14 00:55:16 2016 From: njs at pobox.com (Nathaniel Smith) Date: Wed, 13 Jan 2016 21:55:16 -0800 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi Message-ID: Hi all, Just wanted give distutils-sig a heads-up that there seems to be some momentum gathering around a plot to bring linux wheels to pypi: https://github.com/manylinux/manylinux Basically the idea is to define a standard baseline linux environment (available libraries + version numbers + ABI of these), give it a name (for now, "manylinux"), and then provide tools to build wheels against this environment, teach pip how to recognize that the system it's on conforms to the environment, and then convince pypi to start accepting wheels with this as a platform tag :-). And if we carefully define the baseline environment based on the experiences of the popular scientific python distros (Continuum's Anaconda + Enthought's Canopy) we can be highly confident that essentially all desktop + server linux distros will be compatible with these wheels. This strategy is orthogonal to the more ambitious efforts to define an interface between wheels and the platform package manager; they can proceed in parallel and potentially complement each other. The goal here is just to get linux up to feature parity with windows and osx. Status: - we have a draft policy - there's a cool tool for scanning wheels and checking whether they conform to the policy: https://github.com/manylinux/auditwheel - there's a draft docker image to make it easy to build such wheels (https://github.com/manylinux/manylinux/pull/2) To do: - bikeshed the name ("manylinux" was picked after about 2 minutes of discussion so as to get started. maybe "genericlinux" would be better? I dunno.) - build some test wheels - write a proper PEP - convince pip and pypi maintainers that this is a good idea ;-) -n -- Nathaniel J. Smith -- http://vorpus.org From ncoghlan at gmail.com Thu Jan 14 05:12:59 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 14 Jan 2016 20:12:59 +1000 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: On 14 January 2016 at 15:55, Nathaniel Smith wrote: > Hi all, > > Just wanted give distutils-sig a heads-up that there seems to be some > momentum gathering around a plot to bring linux wheels to pypi: > > https://github.com/manylinux/manylinux > > Basically the idea is to define a standard baseline linux environment > (available libraries + version numbers + ABI of these), give it a name > (for now, "manylinux"), and then provide tools to build wheels against > this environment, teach pip how to recognize that the system it's on > conforms to the environment, and then convince pypi to start accepting > wheels with this as a platform tag :-). And if we carefully define the > baseline environment based on the experiences of the popular > scientific python distros (Continuum's Anaconda + Enthought's Canopy) > we can be highly confident that essentially all desktop + server linux > distros will be compatible with these wheels. Very nice! > This strategy is orthogonal to the more ambitious efforts to define an > interface between wheels and the platform package manager; they can > proceed in parallel and potentially complement each other. The goal > here is just to get linux up to feature parity with windows and osx. That sounds like a good strategy to me - improved automation of upstream -> downstream package conversions is a nice feature to have, but it's a redistributor oriented one, moreso than an end user focused one. For end users, a pragmatic approach to defining a baseline "manylinux" ABI based on the experience of cross-distro redistributors will provide more benefit, sooner. > Status: > - we have a draft policy > - there's a cool tool for scanning wheels and checking whether they > conform to the policy: https://github.com/manylinux/auditwheel > - there's a draft docker image to make it easy to build such wheels > (https://github.com/manylinux/manylinux/pull/2) > > To do: > - bikeshed the name ("manylinux" was picked after about 2 minutes of > discussion so as to get started. maybe "genericlinux" would be better? > I dunno.) Since you've already set up the GitHub group etc as "manylinux", I think it makes sense to just call it "good enough". "manylinux" is an accurate description (as *many* Linux distributions provide the ABI subset you're targeting, but not all of them), and "genericlinux" has potential to cause confusion with "linux-generic" kernel packages. > - build some test wheels > - write a proper PEP > - convince pip and pypi maintainers that this is a good idea ;-) While I've historically advocated against the idea of defining our own "Linux platform ABI" subset, the fact that Enthought and Continuum are successfully distributing pre-built binaries through the simple "use CentOS 5.11" approach seems promising. In terms of non-scientific packages, the main group I'd suggest getting in touch with is pycryptography, as we'll probably want to baseline a more recent version of OpenSSL than the one in CentOS 5.11. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From ncoghlan at gmail.com Thu Jan 14 05:19:28 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 14 Jan 2016 20:19:28 +1000 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: On 14 January 2016 at 20:12, Nick Coghlan wrote: > On 14 January 2016 at 15:55, Nathaniel Smith wrote: >> - build some test wheels >> - write a proper PEP >> - convince pip and pypi maintainers that this is a good idea ;-) > > While I've historically advocated against the idea of defining our own > "Linux platform ABI" subset, the fact that Enthought and Continuum are > successfully distributing pre-built binaries through the simple "use > CentOS 5.11" approach seems promising. > > In terms of non-scientific packages, the main group I'd suggest > getting in touch with is pycryptography, as we'll probably want to > baseline a more recent version of OpenSSL than the one in CentOS 5.11. Ah, looking at https://github.com/manylinux/auditwheel, I see anything linking to OpenSSL would fail the platform audit, at least for the current draft policy. That also seems like a potentially reasonable approach (although it could lead to complaints about "Why doesn't project offer a wheel file?") Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From njs at pobox.com Thu Jan 14 06:13:09 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 14 Jan 2016 03:13:09 -0800 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: On Thu, Jan 14, 2016 at 2:19 AM, Nick Coghlan wrote: > On 14 January 2016 at 20:12, Nick Coghlan wrote: >> On 14 January 2016 at 15:55, Nathaniel Smith wrote: >>> - build some test wheels >>> - write a proper PEP >>> - convince pip and pypi maintainers that this is a good idea ;-) >> >> While I've historically advocated against the idea of defining our own >> "Linux platform ABI" subset, the fact that Enthought and Continuum are >> successfully distributing pre-built binaries through the simple "use >> CentOS 5.11" approach seems promising. >> >> In terms of non-scientific packages, the main group I'd suggest >> getting in touch with is pycryptography, as we'll probably want to >> baseline a more recent version of OpenSSL than the one in CentOS 5.11. > > Ah, looking at https://github.com/manylinux/auditwheel, I see anything > linking to OpenSSL would fail the platform audit, at least for the > current draft policy. That also seems like a potentially reasonable > approach (although it could lead to complaints about "Why doesn't > project offer a wheel file?") Yeah, it's very unfortunate, that's exactly the library that you'd like to be able to depend on, so we checked specifically. But it turns out that openssl has broken ABI over the relevant time-period, so there's no choice, you can't rely on the system version and have to statically link :-(. Though I guess this is no worse than than if you want to distribute a wheel that needs openssl on Windows. -n -- Nathaniel J. Smith -- http://vorpus.org From tritium-list at sdamon.com Thu Jan 14 06:26:31 2016 From: tritium-list at sdamon.com (Alexander Walters) Date: Thu, 14 Jan 2016 06:26:31 -0500 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: <569785E7.5030004@sdamon.com> On 1/14/2016 06:13, Nathaniel Smith wrote: > On Thu, Jan 14, 2016 at 2:19 AM, Nick Coghlan wrote: >> On 14 January 2016 at 20:12, Nick Coghlan wrote: >>> On 14 January 2016 at 15:55, Nathaniel Smith wrote: >>>> - build some test wheels >>>> - write a proper PEP >>>> - convince pip and pypi maintainers that this is a good idea ;-) >>> While I've historically advocated against the idea of defining our own >>> "Linux platform ABI" subset, the fact that Enthought and Continuum are >>> successfully distributing pre-built binaries through the simple "use >>> CentOS 5.11" approach seems promising. >>> >>> In terms of non-scientific packages, the main group I'd suggest >>> getting in touch with is pycryptography, as we'll probably want to >>> baseline a more recent version of OpenSSL than the one in CentOS 5.11. >> Ah, looking at https://github.com/manylinux/auditwheel, I see anything >> linking to OpenSSL would fail the platform audit, at least for the >> current draft policy. That also seems like a potentially reasonable >> approach (although it could lead to complaints about "Why doesn't >> project offer a wheel file?") > Yeah, it's very unfortunate, that's exactly the library that you'd > like to be able to depend on, so we checked specifically. But it turns > out that openssl has broken ABI over the relevant time-period, so > there's no choice, you can't rely on the system version and have to > statically link :-(. > > Though I guess this is no worse than than if you want to distribute a > wheel that needs openssl on Windows. > > -n > Theoretically you can statically link openssl on windows, or otherwise include it. An odd benefit (in this case, only) of an operating system that includes nothing is a culture of vendoring everything. From glyph at twistedmatrix.com Thu Jan 14 06:57:38 2016 From: glyph at twistedmatrix.com (Glyph Lefkowitz) Date: Thu, 14 Jan 2016 03:57:38 -0800 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: <53925647-42D8-413E-85D6-2DFFCF77F416@twistedmatrix.com> > On Jan 14, 2016, at 2:12 AM, Nick Coghlan wrote: > > In terms of non-scientific packages, the main group I'd suggest > getting in touch with is pycryptography, as we'll probably want to > baseline a more recent version of OpenSSL than the one in CentOS 5.11. > 1. It's "cryptography" (or "PyCA's Cryptography", or "cryptography.io"), not "pycryptography". This is an important distinction because "PyCrypto" is the crappy, old thing you should not use, and "cryptography" is the new hotness. 2. On every other platform where they distribute wheels, the Cryptography developers have statically linked both OpenSSL and libffi; I was tangentially involved in the effort to do this on OS X, and in the process of debugging that, I learned that the Linux toolchain is fairly similar. I would imagine that they'd want to statically link OpenSSL the same way, for the same reasons, on Linux. Cryptography does regular releases to bundle in newer OpenSSLs, generally more often than the underlying platforms do. (Since Cryptography does not directly export OpenSSL's API as such, it's easier to do multi-verison compatibility with Python than with C.) In fact I am going to go out on a limb and say that I think Cryptography could be ready to go with this in a few weeks if PyPI just started allowing Linux wheels. We've discussed using ancient-CentOS containers for building static binaries the same way PyPy does. The potentially tricky part is just building the static new versions of OpenSSL from scratch on old systems, I think... -glyph -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 14 07:01:08 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 14 Jan 2016 04:01:08 -0800 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: <53925647-42D8-413E-85D6-2DFFCF77F416@twistedmatrix.com> References: <53925647-42D8-413E-85D6-2DFFCF77F416@twistedmatrix.com> Message-ID: On Thu, Jan 14, 2016 at 3:57 AM, Glyph Lefkowitz wrote: [...] > In fact I am going to go out on a limb and say that I think Cryptography > could be ready to go with this in a few weeks if PyPI just started allowing > Linux wheels. We've discussed using ancient-CentOS containers for building > static binaries the same way PyPy does. The potentially tricky part is just > building the static new versions of OpenSSL from scratch on old systems, I > think... https://phusion.github.io/holy-build-box/ https://github.com/phusion/holy-build-box/blob/master/image/build.sh#L308 -n -- Nathaniel J. Smith -- http://vorpus.org From mailtosijojose at gmail.com Thu Jan 14 00:29:28 2016 From: mailtosijojose at gmail.com (Sijo Jose) Date: Thu, 14 Jan 2016 10:59:28 +0530 Subject: [Distutils] Unable to build language-check In-Reply-To: References: Message-ID: Hi Erik, I'm not able to build my project using setuptools, it fails to install language-check library, see my setup.py below. ------------------ setup( name='name', version='0.0.1', description=' TA', long_description=DESCRIPTION, license='Proprietary License', author='', author_email='', packages=find_packages(), install_requires=[ "language-check==0.7.5", "3to2==1.1.1", ], While executing *python setup.py install*, the language-check dependency is not getting resolved. Is there any workaround for this...? Thanks Sijo Jose On Thu, Jan 14, 2016 at 2:24 AM, Erik Bray wrote: > On Wed, Jan 13, 2016 at 9:30 AM, Sijo Jose > wrote: > > The language-check (https://pypi.python.org/pypi/language-check)library > has > > the dependency of '3to2' in python 2.7, > > In a virtualenv it works fine with pip,that is > > > > pip install 3to2 > > pip install language-check > > > > > > But its failing with easy_install in venv > > > > easy_install 3to2 > > easy_install language-check (It fails) > > > > Due to this I'm not able to build my project using setuptools. > > Why do you need to install it with easy_install? pip is the > recommended installer for Python packages. > > Erik > -- *Regards* *Sijo Jose* -------------- next part -------------- An HTML attachment was scrubbed... URL: From stuaxo2 at yahoo.com Thu Jan 14 14:47:40 2016 From: stuaxo2 at yahoo.com (Stuart Axon) Date: Thu, 14 Jan 2016 19:47:40 +0000 (UTC) Subject: [Distutils] data_files ? References: <143447675.4210655.1452800860667.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <143447675.4210655.1452800860667.JavaMail.yahoo@mail.yahoo.com> Hi,? ?Is data_files deprecated ? ? I use it to install files to a known location. ?I had a look at some of the tickets and am still not 100% sure. package_data won't really work, as the location isn't know. (I have the package 'vext' which can find the files installed by vext.gi vext.pygtk etc)?S++ -------------- next part -------------- An HTML attachment was scrubbed... URL: From nate at bx.psu.edu Thu Jan 14 16:47:42 2016 From: nate at bx.psu.edu (Nate Coraor) Date: Thu, 14 Jan 2016 16:47:42 -0500 Subject: [Distutils] heads-up on a plot to bring linux wheels to pypi In-Reply-To: References: Message-ID: On Thu, Jan 14, 2016 at 12:55 AM, Nathaniel Smith wrote: > Hi all, > > Just wanted give distutils-sig a heads-up that there seems to be some > momentum gathering around a plot to bring linux wheels to pypi: > > https://github.com/manylinux/manylinux > > Basically the idea is to define a standard baseline linux environment > (available libraries + version numbers + ABI of these), give it a name > (for now, "manylinux"), and then provide tools to build wheels against > this environment, teach pip how to recognize that the system it's on > conforms to the environment, and then convince pypi to start accepting > wheels with this as a platform tag :-). And if we carefully define the > baseline environment based on the experiences of the popular > scientific python distros (Continuum's Anaconda + Enthought's Canopy) > we can be highly confident that essentially all desktop + server linux > distros will be compatible with these wheels. > Hi Nathaniel, This is exciting news. As you probably know, I've been working in this space as well. In fact, the January 2016 release of Galaxy[1] will be the first to use wheels to distribute or framework dependencies, and they're installed via pip. We also have a Docker-based build system that automates the process of building these wheels[2]. Unfortunately, this necessitates our own modified versions of pip[3] and wheel[4] for messing with the platform tags. My previous discussion here on distutils-sig on the subject stalled on the discussion of these environments, but it sounds like you're making progress where that stopped. If there is momentum to manylinux and it will gain the favor of pip/PyPI maintainers, I would be happy to transfer my effort there. I've written a linux distro detection library that may be of some use if it's not possible to base all environments off Centos 5. I, and the Galaxy project as a whole, are very motivated to make official Linux wheels a reality. > This strategy is orthogonal to the more ambitious efforts to define an > interface between wheels and the platform package manager; they can > proceed in parallel and potentially complement each other. The goal > here is just to get linux up to feature parity with windows and osx. > > Status: > - we have a draft policy > - there's a cool tool for scanning wheels and checking whether they > conform to the policy: https://github.com/manylinux/auditwheel > - there's a draft docker image to make it easy to build such wheels > (https://github.com/manylinux/manylinux/pull/2) > > To do: > - bikeshed the name ("manylinux" was picked after about 2 minutes of > discussion so as to get started. maybe "genericlinux" would be better? > I dunno.) > FWIW, as an illumos proponent, this same work as is being done for Linux will transfer over to other "distro" OSes like illumos. > - build some test wheels > - write a proper PEP > - convince pip and pypi maintainers that this is a good idea ;-) > > -n > > -- > Nathaniel J. Smith -- http://vorpus.org > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > Not directly related, but Galaxy is moving toward Conda as its tool dependency distribution system, so we are likely to converge efforts in other places as well. --nate [1] https://github.com/galaxyproject/galaxy/ [2] https://github.com/galaxyproject/starforge/ [3] https://github.com/natefoo/pip/tree/linux-wheels [4] https://bitbucket.org/natefoo/wheel -------------- next part -------------- An HTML attachment was scrubbed... URL: From p.f.moore at gmail.com Fri Jan 15 09:12:03 2016 From: p.f.moore at gmail.com (Paul Moore) Date: Fri, 15 Jan 2016 14:12:03 +0000 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats Message-ID: Pip refers to PEP 440 when defining the format of a requirement (see https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers). But PEP 508 *also* defines a requirement - the title implies that it's for dependency specification, but the content of the PEP says "the language defined is a compact line based format which is already in widespread use in pip requirements files". So what's the relationship between PEP 440 and PEP 508? Which one is the definitive definition of what is a "requirement"? The "packaging" library implements specifiers which conform (according to the docs) to PEP 440. IMO, we're in danger of switching from having too few standards to having too many... Can someone clarify? Thanks, Paul From donald at stufft.io Fri Jan 15 09:14:29 2016 From: donald at stufft.io (Donald Stufft) Date: Fri, 15 Jan 2016 09:14:29 -0500 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: References: Message-ID: <427EA1E6-2384-49A5-AE0B-64E7E0BA072D@stufft.io> > On Jan 15, 2016, at 9:12 AM, Paul Moore wrote: > > Pip refers to PEP 440 when defining the format of a requirement (see > https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers). > But PEP 508 *also* defines a requirement - the title implies that it's > for dependency specification, but the content of the PEP says "the > language defined is a compact line based format which is already in > widespread use in pip requirements files". > > So what's the relationship between PEP 440 and PEP 508? Which one is > the definitive definition of what is a "requirement"? The "packaging" > library implements specifiers which conform (according to the docs) to > PEP 440. > > IMO, we're in danger of switching from having too few standards to > having too many... > > Can someone clarify? > Thanks, > Paul > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig A PEP 508 requirement contains a PEP 440 specifier. E.g. something like `requests >= 1.0` is a PEP 508 requirement format, which contains a distribution name `requests` and a PEP 440 version specifier `>= 1.0`. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From p.f.moore at gmail.com Fri Jan 15 09:23:10 2016 From: p.f.moore at gmail.com (Paul Moore) Date: Fri, 15 Jan 2016 14:23:10 +0000 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: <427EA1E6-2384-49A5-AE0B-64E7E0BA072D@stufft.io> References: <427EA1E6-2384-49A5-AE0B-64E7E0BA072D@stufft.io> Message-ID: On 15 January 2016 at 14:14, Donald Stufft wrote: > A PEP 508 requirement contains a PEP 440 specifier. E.g. something like `requests >= 1.0` is a PEP 508 requirement format, which contains a distribution name `requests` and a PEP 440 version specifier `>= 1.0`. Cool. So should the documentation for pip install be updated to say that a requirement conforms to PEP 508 (minus the url_req part, which the PEP notes is not implemented by pip)? I'm working on a small doc update at the moment, so if that's right, I'll make that change too. Paul From donald at stufft.io Fri Jan 15 09:24:17 2016 From: donald at stufft.io (Donald Stufft) Date: Fri, 15 Jan 2016 09:24:17 -0500 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: References: <427EA1E6-2384-49A5-AE0B-64E7E0BA072D@stufft.io> Message-ID: <299CCE46-3FB4-4011-A174-C21A58CD8538@stufft.io> > On Jan 15, 2016, at 9:23 AM, Paul Moore wrote: > > On 15 January 2016 at 14:14, Donald Stufft wrote: >> A PEP 508 requirement contains a PEP 440 specifier. E.g. something like `requests >= 1.0` is a PEP 508 requirement format, which contains a distribution name `requests` and a PEP 440 version specifier `>= 1.0`. > > Cool. So should the documentation for pip install be updated to say > that a requirement conforms to PEP 508 (minus the url_req part, which > the PEP notes is not implemented by pip)? I'm working on a small doc > update at the moment, so if that's right, I'll make that change too. > > Paul Yes, that?s correct. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From ncoghlan at gmail.com Sat Jan 16 10:46:59 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Sun, 17 Jan 2016 01:46:59 +1000 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: References: Message-ID: On 16 January 2016 at 00:12, Paul Moore wrote: > Pip refers to PEP 440 when defining the format of a requirement (see > https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers). > But PEP 508 *also* defines a requirement - the title implies that it's > for dependency specification, but the content of the PEP says "the > language defined is a compact line based format which is already in > widespread use in pip requirements files". > > So what's the relationship between PEP 440 and PEP 508? Which one is > the definitive definition of what is a "requirement"? The "packaging" > library implements specifiers which conform (according to the docs) to > PEP 440. As Donald already noted, 508 is the higher level specification, that includes 440 by reference to cover the "version specifier" section of a full dependency specifier The key parts that 508 adds above and beyond 440 are: - package names (the current rules were previously only given in the 426 draft) - extras - environment markers The main benefit of keeping the two levels separate is that there's a *lot* of arcana in PEP 440 around version ordering and how that relates to version comparison operators that you don't really need to think about when working at the level of processing a list of dependency specifiers. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From robertc at robertcollins.net Sat Jan 16 14:13:35 2016 From: robertc at robertcollins.net (Robert Collins) Date: Sun, 17 Jan 2016 08:13:35 +1300 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: References:

Message-ID: Oh that reminds me, I noticed the other day that PEP 426 references James' draft markers PEP that actually ended up in 508. Whats the process for fixing that? Just do it in hg? On 17 January 2016 at 04:46, Nick Coghlan wrote: > On 16 January 2016 at 00:12, Paul Moore wrote: >> Pip refers to PEP 440 when defining the format of a requirement (see >> https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers). >> But PEP 508 *also* defines a requirement - the title implies that it's >> for dependency specification, but the content of the PEP says "the >> language defined is a compact line based format which is already in >> widespread use in pip requirements files". >> >> So what's the relationship between PEP 440 and PEP 508? Which one is >> the definitive definition of what is a "requirement"? The "packaging" >> library implements specifiers which conform (according to the docs) to >> PEP 440. > > As Donald already noted, 508 is the higher level specification, that > includes 440 by reference to cover the "version specifier" section of > a full dependency specifier > > The key parts that 508 adds above and beyond 440 are: > > - package names (the current rules were previously only given in the 426 draft) > - extras > - environment markers > > The main benefit of keeping the two levels separate is that there's a > *lot* of arcana in PEP 440 around version ordering and how that > relates to version comparison operators that you don't really need to > think about when working at the level of processing a list of > dependency specifiers. > > Cheers, > Nick. > > -- > Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig -- Robert Collins Distinguished Technologist HP Converged Cloud From ncoghlan at gmail.com Sun Jan 17 01:16:39 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Sun, 17 Jan 2016 16:16:39 +1000 Subject: [Distutils] PEP 440 ad PEP 508 requirement formats In-Reply-To: References:

Message-ID: On 17 January 2016 at 05:13, Robert Collins wrote: > Oh that reminds me, I noticed the other day that PEP 426 references > James' draft markers PEP that actually ended up in 508. Whats the > process for fixing that? Just do it in hg? It's probably better to fix https://github.com/pypa/interoperability-peps first, and then copy it over to hg. With 508 now accepted, it could be useful to strip the now redundant sections from 426 (I think it's only "extras" that currently goes beyond what 508 defines). In the vein of "PEP 426 will be done when we've run out of things to remove, rather than things to add", I've also been considering the semantic dependencies idea, and thinking it would be beneficial to move that out to a proposed extension, while reverting the baseline metadata to the well established "setup_requires" and "install_requires". Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From njs at pobox.com Wed Jan 20 22:55:12 2016 From: njs at pobox.com (Nathaniel Smith) Date: Wed, 20 Jan 2016 19:55:12 -0800 Subject: [Distutils] draft PEP: manylinux1 Message-ID: Hi all, Here's a first draft of a PEP for the manylinux1 platform tag mentioned earlier, posted for feedback. Really Robert McGibbon should get the main credit for this, since he wrote it, and also the docker image and the amazing auditwheel tool linked below, but he asked me to do the honors of posting it :-). BTW, if anyone wants to try this out, there are some test "manylinux1-compatible" wheels at https://vorpus.org/~njs/tmp/manylinux-test-wheels/repaired for PySide (i.e. Qt) and numpy (using openblas). They should be installable on any ordinary linux system with: pip install --no-index -f https://vorpus.org/~njs/tmp/manylinux-test-wheels/repaired $PKG (Note that this may require a reasonably up-to-date pip -- e.g. the one in Debian is too old, which confused me for a bit.) (How they were created: docker run -it quay.io/manylinux/manylinux bash; install conda because to get builds of Qt and OpenBLAS because I was too lazy to do it myself; pip wheel PySide / pip wheel numpy; auditwheel repair , which copies in all the dependencies to make the wheels self-contained. Just proof-of-concept for now, but they seem to work.) ---- PEP: XXXX Title: A Platform Tag for Portable Linux Built Distributions Version: $Revision$ Last-Modified: $Date$ Author: Robert T. McGibbon , Nathaniel J. Smith Status: Draft Type: Process Content-Type: text/x-rst Created: 19-Jan-2016 Post-History: 19-Jan-2016 Abstract ======== This PEP proposes the creation of a new platform tag for Python package built distributions, such as wheels, called ``manylinux1_{x86_64,i386}`` with external dependencies limited restricted to a standardized subset of the Linux kernel and core userspace ABI. It proposes that PyPI support uploading and distributing Wheels with this platform tag, and that ``pip`` support downloading and installing these packages on compatible platforms. Rationale ========= Currently, distribution of binary Python extensions for Windows and OS X is straightforward. Developers and packagers build wheels, which are assigned platform tags such as ``win32`` or ``macosx_10_6_intel``, and upload these wheels to PyPI. Users can download and install these wheels using tools such as ``pip``. For Linux, the situation is much more delicate. In general, compiled Python extension modules built on one Linux distribution will not work on other Linux distributions, or even on the same Linux distribution with different system libraries installed. Build tools using PEP 425 platform tags [1]_ do not track information about the particular Linux distribution or installed system libraries, and instead assign all wheels the too-vague ``linux_i386`` or ``linux_x86_64`` tags. Because of this ambiguity, there is no expectation that ``linux``-tagged built distributions compiled on one machine will work properly on another, and for this reason, PyPI has not permitted the uploading of wheels for Linux. It would be ideal if wheel packages could be compiled that would work on *any* linux system. But, because of the incredible diversity of Linux systems -- from PCs to Android to embedded systems with custom libcs -- this cannot be guaranteed in general. Instead, we define a standard subset of the kernel+core userspace ABI that, in practice, is compatible enough that packages conforming to this standard will work on *many* linux systems, including essentially all of the desktop and server distributions in common use. We know this because there are companies who have been distributing such widely-portable pre-compiled Python extension modules for Linux -- e.g. Enthought with Canopy [2]_ and Continuum Analytics with Anaconda [3]_. Building on the compability lessons learned from these companies, we thus define a baseline ``manylinux1`` platform tag for use by binary Python wheels, and introduce the implementation of preliminary tools to aid in the construction of these ``manylinux1`` wheels. Key Causes of Inter-Linux Binary Incompatibility ================================================ To properly define a standard that will guarantee that wheel packages meeting this specification will operate on *many* linux platforms, it is necessary to understand the root causes which often prevent portability of pre-compiled binaries on Linux. The two key causes are dependencies on shared libraries which are not present on users' systems, and dependencies on particular versions of certain core libraries like ``glibc``. External Shared Libraries ------------------------- Most desktop and server linux distributions come with a system package manager (examples include ``APT`` on Debian-based systems, ``yum`` on ``RPM``-based systems, and ``pacman`` on Arch linux) that manages, among other responsibilities, the installation of shared libraries installed to system directories such as ``/usr/lib``. Most non-trivial Python extensions will depend on one or more of these shared libraries, and thus function properly only on systems where the user has the proper libraries (and the proper versions thereof), either installed using their package manager, or installed manually by setting certain environment variables such as ``LD_LIBRARY_PATH`` to notify the runtime linker of the location of the depended-upon shared libraries. Versioning of Core Shared Libraries ----------------------------------- Even if author or maintainers of a Python extension module with to use no external shared libraries, the modules will generally have a dynamic runtime dependency on the GNU C library, ``glibc``. While it is possible, statically linking ``glibc`` is usually a bad idea because of bloat, and because certain important C functions like ``dlopen()`` cannot be called from code that statically links ``glibc``. A runtime shared library dependency on a system-provided ``glibc`` is unavoidable in practice. The maintainers of the GNU C library follow a strict symbol versioning scheme for backward compatibility. This ensures that binaries compiled against an older version of ``glibc`` can run on systems that have a newer ``glibc``. The opposite is generally not true -- binaries compiled on newer Linux distributions tend to rely upon versioned functions in glibc that are not available on older systems. This generally prevents built distributions compiled on the latest Linux distributions from being portable. The ``manylinux1`` policy ========================= For these reasons, to achieve broad portability, Python wheels * should depend only on an extremely limited set of external shared libraries; and * should depend only on ``old`` symbol versions in those external shared libraries. The ``manylinux1`` policy thus encompasses a standard for what the permitted external shared libraries a wheel may depend on, and the maximum depended-upon symbol versions therein. The permitted external shared libraries are: :: libpanelw.so.5 libncursesw.so.5 libgcc_s.so.1 libstdc++.so.6 libm.so.6 libdl.so.2 librt.so.1 libcrypt.so.1 libc.so.6 libnsl.so.1 libutil.so.1 libpthread.so.0 libX11.so.6 libXext.so.6 libXrender.so.1 libICE.so.6 libSM.so.6 libGL.so.1 libgobject-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 On Debian-based systems, these libraries are provided by the packages :: libncurses5 libgcc1 libstdc++6 libc6 libx11-6 libxext6 libxrender1 libice6 libsm6 libgl1-mesa-glx libglib2.0-0 On RPM-based systems, these libraries are provided by the packages :: ncurses libgcc libstdc++ glibc libXext libXrender libICE libSM mesa-libGL glib2 This list was compiled by checking the external shared library dependencies of the Canopy [1]_ and Anaconda [2]_ distributions, which both include a wide array of the most popular Python modules and have been confirmed in practice to work across a wide swath of Linux systems in the wild. For dependencies on externally-provided versioned symbols in the above shared libraries, the following symbol versions are permitted: :: GLIBC <= 2.5 CXXABI <= 3.4.8 GLIBCXX <= 3.4.9 GCC <= 4.2.0 These symbol versions were determined by inspecting the latest symbol version provided in the libraries distributed with CentOS 5, a Linux distribution released in April 2007. In practice, this means that Python wheels which conform to this policy should function on almost any linux distribution released after this date. Compilation and Tooling ======================= To support the compilation of wheels meeting the ``manylinux1`` standard, we provide initial drafts of two tools. The first is a Docker image based on CentOS 5.11, which is recommended as an easy to use self-contained build box for compiling ``manylinux1`` wheels [4]_. Compiling on a more recently-released linux distribution will generally introduce dependencies on too-new versioned symbols. The image comes with a full compiler suite installed (``gcc``, ``g++``, and ``gfortran`` 4.8.2) as well as the latest releases of Python and pip. The second tool is a command line executable called ``auditwheel`` [5]_. First, it inspects all of the ELF files inside a wheel to check for dependencies on versioned symbols or external shared libraries, and verifies conformance with the ``manylinux1`` policy. This includes the ability to add the new platform tag to conforming wheels. In addition, ``auditwheel`` has the ability to automatically modify wheels that depend on external shared libraries by copying those shared libraries from the system into the wheel itself, and modifying the appropriate RPATH entries such that these libraries will be picked up at runtime. This accomplishes a similar result as if the libraries had been statically linked without requiring changes to the build system. Neither of these tools are necessary to build wheels which conform with the ``manylinux1`` policy. Similar results can usually be achieved by statically linking external dependencies and/or using certain inline assembly constructs to instruct the linker to prefer older symbol versions, however these tricks can be quite esoteric. Platform Detection for Installers ================================= Because the ``manylinux1`` profile is already known to work for the many thousands of users of popular commercial Python distributions, we suggest that installation tools like ``pip`` should error on the side of assuming that a system *is* compatible, unless there is specific reason to think otherwise. We know of three main sources of potential incompatibility that are likely to arise in practice: * A linux distribution that is too old (e.g. RHEL 4) * A linux distribution that does not use glibc (e.g. Alpine Linux, which is based on musl libc, or Android) * Eventually, in the future, there may exist distributions that break compatibility with this profile To handle the first two cases, we propose the following simple and reliable check: :: def have_glibc_version(major, minimum_minor): import ctypes process_namespace = ctypes.CDLL(None) try: gnu_get_libc_version = process_namespace.gnu_get_libc_version except AttributeError: # We are not linked to glibc. return False gnu_get_libc_version.restype = ctypes.c_char_p version_str = gnu_get_libc_version() # py2 / py3 compatibility: if not isinstance(version_str, str): version_str = version_str.decode("ascii") version = [int(piece) for piece in version_str.split(".")] assert len(version) == 2 if major != version[0]: return False if minimum_minor > version[1]: return False return True # CentOS 5 uses glibc 2.5. is_manylinux1_compatible = have_glibc_version(2, 5) To handle the third case, we propose the creation of a file ``/etc/python/compatibility.cfg`` in ConfigParser format, with sample contents: :: [manylinux1] compatible = true where the supported values for the ``manylinux1.compatible`` entry are the same as those supported by the ConfigParser ``getboolean`` method. The proposed logic for ``pip`` or related tools, then, is: 0) If ``distutils.util.get_platform()`` does not start with the string ``"linux"``, then assume the current system is not ``manylinux1`` compatible. 1) If ``/etc/python/compatibility.conf`` exists and contains a ``manylinux1`` key, then trust that. 2) Otherwise, if ``have_glibc_version(2, 5)`` returns true, then assume the current system can handle ``manylinux1`` wheels. 3) Otherwise, assume that the current system cannot handle ``manylinux1`` wheels. Security Implications ===================== One of the advantages of dependencies on centralized libraries in Linux is that bugfixes and security updates can be deployed system-wide, and applications which depend on on these libraries will automatically feel the effects of these patches when the underlying libraries are updated. This can be particularly important for security updates in packages communication across the network or cryptography. ``manylinux1`` wheels distributed through PyPI that bundle security-critical libraries like OpenSSL will thus assume responsibility for prompt updates in response disclosed vulnerabilities and patches. This closely parallels the security implications of the distribution of binary wheels on Windows that, because the platform lacks a system package manager, generally bundle their dependencies. In particular, because its lacks a stable ABI, OpenSSL cannot be included in the ``manylinux1`` profile. Rejected Alternatives ===================== One alternative would be to provide separate platform tags for each Linux distribution (and each version thereof), e.g. ``RHEL6``, ``ubuntu14_10``, ``debian_jessie``, etc. Nothing in this proposal rules out the possibility of adding such platform tags in the future, or of further extensions to wheel metadata that would allow wheels to declare dependencies on external system-installed packages. However, such extensions would require substantially more work than this proposal, and still might not be appreciated by package developers who would prefer not to have to maintain multiple build environments and build multiple wheels in order to cover all the common Linux distributions. Therefore we consider such proposals to be out-of-scope for this PEP. References ========== .. [1] PEP 425 -- Compatibility Tags for Built Distributions (https://www.python.org/dev/peps/pep-0425/) .. [2] Enthought Canopy Python Distribution (https://store.enthought.com/downloads/) .. [3] Continuum Analytics Anaconda Python Distribution (https://www.continuum.io/downloads) .. [4] manylinux1 docker image (https://quay.io/repository/manylinux/manylinux) .. [5] auditwheel (https://pypi.python.org/pypi/auditwheel) Copyright ========= This document has been placed into the public domain. .. Local Variables: mode: indented-text indent-tabs-mode: nil sentence-end-double-space: t fill-column: 70 coding: utf-8 End: -- Nathaniel J. Smith -- https://vorpus.org From randy at thesyrings.us Wed Jan 20 23:02:55 2016 From: randy at thesyrings.us (Randy Syring) Date: Wed, 20 Jan 2016 23:02:55 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: <56A0586F.9000206@thesyrings.us> FWIW, really excited to be seeing progress on this! *Randy Syring* Husband | Father | Redeemed Sinner /"For what does it profit a man to gain the whole world and forfeit his soul?" (Mark 8:36 ESV)/ On 01/20/2016 10:55 PM, Nathaniel Smith wrote: > Hi all, > > Here's a first draft of a PEP for the manylinux1 platform tag > mentioned earlier, posted for feedback. Really Robert McGibbon should > get the main credit for this, since he wrote it, and also the docker > image and the amazing auditwheel tool linked below, but he asked me to > do the honors of posting it :-). > > BTW, if anyone wants to try this out, there are some test > "manylinux1-compatible" wheels at > https://vorpus.org/~njs/tmp/manylinux-test-wheels/repaired > for PySide (i.e. Qt) and numpy (using openblas). They should be > installable on any ordinary linux system with: > pip install --no-index -f > https://vorpus.org/~njs/tmp/manylinux-test-wheels/repaired $PKG > (Note that this may require a reasonably up-to-date pip -- e.g. the > one in Debian is too old, which confused me for a bit.) > > (How they were created: docker run -it quay.io/manylinux/manylinux > bash; install conda because to get builds of Qt and OpenBLAS because I > was too lazy to do it myself; pip wheel PySide / pip wheel numpy; > auditwheel repair , which copies in all the > dependencies to make the wheels self-contained. Just proof-of-concept > for now, but they seem to work.) > > ---- > > PEP: XXXX > Title: A Platform Tag for Portable Linux Built Distributions > Version: $Revision$ > Last-Modified: $Date$ > Author: Robert T. McGibbon , Nathaniel J. Smith > > Status: Draft > Type: Process > Content-Type: text/x-rst > Created: 19-Jan-2016 > Post-History: 19-Jan-2016 > > > Abstract > ======== > > This PEP proposes the creation of a new platform tag for Python package built > distributions, such as wheels, called ``manylinux1_{x86_64,i386}`` with > external dependencies limited restricted to a standardized subset of > the Linux kernel and core userspace ABI. It proposes that PyPI support > uploading and distributing Wheels with this platform tag, and that ``pip`` > support downloading and installing these packages on compatible platforms. > > > Rationale > ========= > > Currently, distribution of binary Python extensions for Windows and OS X is > straightforward. Developers and packagers build wheels, which are assigned > platform tags such as ``win32`` or ``macosx_10_6_intel``, and upload these > wheels to PyPI. Users can download and install these wheels using tools such > as ``pip``. > > For Linux, the situation is much more delicate. In general, compiled Python > extension modules built on one Linux distribution will not work on other Linux > distributions, or even on the same Linux distribution with different system > libraries installed. > > Build tools using PEP 425 platform tags [1]_ do not track information about the > particular Linux distribution or installed system libraries, and instead assign > all wheels the too-vague ``linux_i386`` or ``linux_x86_64`` tags. Because of > this ambiguity, there is no expectation that ``linux``-tagged built > distributions compiled on one machine will work properly on another, and for > this reason, PyPI has not permitted the uploading of wheels for Linux. > > It would be ideal if wheel packages could be compiled that would work on *any* > linux system. But, because of the incredible diversity of Linux systems -- from > PCs to Android to embedded systems with custom libcs -- this cannot > be guaranteed in general. > > Instead, we define a standard subset of the kernel+core userspace ABI that, > in practice, is compatible enough that packages conforming to this standard > will work on *many* linux systems, including essentially all of the desktop > and server distributions in common use. We know this because there are > companies who have been distributing such widely-portable pre-compiled Python > extension modules for Linux -- e.g. Enthought with Canopy [2]_ and Continuum > Analytics with Anaconda [3]_. > > Building on the compability lessons learned from these companies, we thus > define a baseline ``manylinux1`` platform tag for use by binary Python > wheels, and introduce the implementation of preliminary tools to aid in the > construction of these ``manylinux1`` wheels. > > > Key Causes of Inter-Linux Binary Incompatibility > ================================================ > > To properly define a standard that will guarantee that wheel packages meeting > this specification will operate on *many* linux platforms, it is necessary to > understand the root causes which often prevent portability of pre-compiled > binaries on Linux. The two key causes are dependencies on shared libraries > which are not present on users' systems, and dependencies on particular > versions of certain core libraries like ``glibc``. > > > External Shared Libraries > ------------------------- > > Most desktop and server linux distributions come with a system package manager > (examples include ``APT`` on Debian-based systems, ``yum`` on > ``RPM``-based systems, and ``pacman`` on Arch linux) that manages, among other > responsibilities, the installation of shared libraries installed to system > directories such as ``/usr/lib``. Most non-trivial Python extensions will depend > on one or more of these shared libraries, and thus function properly only on > systems where the user has the proper libraries (and the proper > versions thereof), either installed using their package manager, or installed > manually by setting certain environment variables such as ``LD_LIBRARY_PATH`` > to notify the runtime linker of the location of the depended-upon shared > libraries. > > > Versioning of Core Shared Libraries > ----------------------------------- > > Even if author or maintainers of a Python extension module with to use no > external shared libraries, the modules will generally have a dynamic runtime > dependency on the GNU C library, ``glibc``. While it is possible, statically > linking ``glibc`` is usually a bad idea because of bloat, and because certain > important C functions like ``dlopen()`` cannot be called from code that > statically links ``glibc``. A runtime shared library dependency on a > system-provided ``glibc`` is unavoidable in practice. > > The maintainers of the GNU C library follow a strict symbol versioning scheme > for backward compatibility. This ensures that binaries compiled against an older > version of ``glibc`` can run on systems that have a newer ``glibc``. The > opposite is generally not true -- binaries compiled on newer Linux > distributions tend to rely upon versioned functions in glibc that are not > available on older systems. > > This generally prevents built distributions compiled on the latest Linux > distributions from being portable. > > > The ``manylinux1`` policy > ========================= > > For these reasons, to achieve broad portability, Python wheels > > * should depend only on an extremely limited set of external shared > libraries; and > * should depend only on ``old`` symbol versions in those external shared > libraries. > > The ``manylinux1`` policy thus encompasses a standard for what the > permitted external shared libraries a wheel may depend on, and the maximum > depended-upon symbol versions therein. > > The permitted external shared libraries are: :: > > libpanelw.so.5 > libncursesw.so.5 > libgcc_s.so.1 > libstdc++.so.6 > libm.so.6 > libdl.so.2 > librt.so.1 > libcrypt.so.1 > libc.so.6 > libnsl.so.1 > libutil.so.1 > libpthread.so.0 > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libICE.so.6 > libSM.so.6 > libGL.so.1 > libgobject-2.0.so.0 > libgthread-2.0.so.0 > libglib-2.0.so.0 > > On Debian-based systems, these libraries are provided by the packages :: > > libncurses5 libgcc1 libstdc++6 libc6 libx11-6 libxext6 > libxrender1 libice6 libsm6 libgl1-mesa-glx libglib2.0-0 > > On RPM-based systems, these libraries are provided by the packages :: > > ncurses libgcc libstdc++ glibc libXext libXrender > libICE libSM mesa-libGL glib2 > > This list was compiled by checking the external shared library dependencies of > the Canopy [1]_ and Anaconda [2]_ distributions, which both include a wide array > of the most popular Python modules and have been confirmed in practice to work > across a wide swath of Linux systems in the wild. > > For dependencies on externally-provided versioned symbols in the above shared > libraries, the following symbol versions are permitted: :: > > GLIBC <= 2.5 > CXXABI <= 3.4.8 > GLIBCXX <= 3.4.9 > GCC <= 4.2.0 > > These symbol versions were determined by inspecting the latest symbol version > provided in the libraries distributed with CentOS 5, a Linux distribution > released in April 2007. In practice, this means that Python wheels which conform > to this policy should function on almost any linux distribution released after > this date. > > > Compilation and Tooling > ======================= > > To support the compilation of wheels meeting the ``manylinux1`` standard, we > provide initial drafts of two tools. > > The first is a Docker image based on CentOS 5.11, which is recommended as an > easy to use self-contained build box for compiling ``manylinux1`` wheels [4]_. > Compiling on a more recently-released linux distribution will generally > introduce dependencies on too-new versioned symbols. The image comes with a > full compiler suite installed (``gcc``, ``g++``, and ``gfortran`` 4.8.2) as > well as the latest releases of Python and pip. > > The second tool is a command line executable called ``auditwheel`` [5]_. First, > it inspects all of the ELF files inside a wheel to check for dependencies on > versioned symbols or external shared libraries, and verifies conformance with > the ``manylinux1`` policy. This includes the ability to add the new platform > tag to conforming wheels. > > In addition, ``auditwheel`` has the ability to automatically modify wheels that > depend on external shared libraries by copying those shared libraries from > the system into the wheel itself, and modifying the appropriate RPATH entries > such that these libraries will be picked up at runtime. This accomplishes a > similar result as if the libraries had been statically linked without requiring > changes to the build system. > > Neither of these tools are necessary to build wheels which conform with the > ``manylinux1`` policy. Similar results can usually be achieved by statically > linking external dependencies and/or using certain inline assembly constructs > to instruct the linker to prefer older symbol versions, however these tricks > can be quite esoteric. > > > Platform Detection for Installers > ================================= > > Because the ``manylinux1`` profile is already known to work for the many > thousands of users of popular commercial Python distributions, we suggest that > installation tools like ``pip`` should error on the side of assuming that a > system *is* compatible, unless there is specific reason to think otherwise. > > We know of three main sources of potential incompatibility that are likely to > arise in practice: > > * A linux distribution that is too old (e.g. RHEL 4) > * A linux distribution that does not use glibc (e.g. Alpine Linux, which is > based on musl libc, or Android) > * Eventually, in the future, there may exist distributions that break > compatibility with this profile > > To handle the first two cases, we propose the following simple and reliable > check: :: > > def have_glibc_version(major, minimum_minor): > import ctypes > > process_namespace = ctypes.CDLL(None) > try: > gnu_get_libc_version = process_namespace.gnu_get_libc_version > except AttributeError: > # We are not linked to glibc. > return False > > gnu_get_libc_version.restype = ctypes.c_char_p > version_str = gnu_get_libc_version() > # py2 / py3 compatibility: > if not isinstance(version_str, str): > version_str = version_str.decode("ascii") > > version = [int(piece) for piece in version_str.split(".")] > assert len(version) == 2 > if major != version[0]: > return False > if minimum_minor > version[1]: > return False > return True > > # CentOS 5 uses glibc 2.5. > is_manylinux1_compatible = have_glibc_version(2, 5) > > To handle the third case, we propose the creation of a file > ``/etc/python/compatibility.cfg`` in ConfigParser format, with sample > contents: :: > > [manylinux1] > compatible = true > > where the supported values for the ``manylinux1.compatible`` entry are the > same as those supported by the ConfigParser ``getboolean`` method. > > The proposed logic for ``pip`` or related tools, then, is: > > 0) If ``distutils.util.get_platform()`` does not start with the string > ``"linux"``, then assume the current system is not ``manylinux1`` > compatible. > 1) If ``/etc/python/compatibility.conf`` exists and contains a ``manylinux1`` > key, then trust that. > 2) Otherwise, if ``have_glibc_version(2, 5)`` returns true, then assume the > current system can handle ``manylinux1`` wheels. > 3) Otherwise, assume that the current system cannot handle ``manylinux1`` > wheels. > > > Security Implications > ===================== > > One of the advantages of dependencies on centralized libraries in Linux is > that bugfixes and security updates can be deployed system-wide, and > applications which depend on on these libraries will automatically feel the > effects of these patches when the underlying libraries are updated. This can > be particularly important for security updates in packages communication > across the network or cryptography. > > ``manylinux1`` wheels distributed through PyPI that bundle security-critical > libraries like OpenSSL will thus assume responsibility for prompt updates in > response disclosed vulnerabilities and patches. This closely parallels the > security implications of the distribution of binary wheels on Windows that, > because the platform lacks a system package manager, generally bundle their > dependencies. In particular, because its lacks a stable ABI, OpenSSL cannot be > included in the ``manylinux1`` profile. > > > Rejected Alternatives > ===================== > > One alternative would be to provide separate platform tags for each Linux > distribution (and each version thereof), e.g. ``RHEL6``, ``ubuntu14_10``, > ``debian_jessie``, etc. Nothing in this proposal rules out the possibility of > adding such platform tags in the future, or of further extensions to wheel > metadata that would allow wheels to declare dependencies on external > system-installed packages. However, such extensions would require substantially > more work than this proposal, and still might not be appreciated by package > developers who would prefer not to have to maintain multiple build environments > and build multiple wheels in order to cover all the common Linux distributions. > Therefore we consider such proposals to be out-of-scope for this PEP. > > > References > ========== > > .. [1] PEP 425 -- Compatibility Tags for Built Distributions > (https://www.python.org/dev/peps/pep-0425/) > .. [2] Enthought Canopy Python Distribution > (https://store.enthought.com/downloads/) > .. [3] Continuum Analytics Anaconda Python Distribution > (https://www.continuum.io/downloads) > .. [4] manylinux1 docker image > (https://quay.io/repository/manylinux/manylinux) > .. [5] auditwheel > (https://pypi.python.org/pypi/auditwheel) > > Copyright > ========= > > This document has been placed into the public domain. > > .. > > Local Variables: > mode: indented-text > indent-tabs-mode: nil > sentence-end-double-space: t > fill-column: 70 > coding: utf-8 > End: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Thu Jan 21 01:17:04 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 16:17:04 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On 21 January 2016 at 13:55, Nathaniel Smith wrote: > Hi all, > > Here's a first draft of a PEP for the manylinux1 platform tag > mentioned earlier, posted for feedback. Really Robert McGibbon should > get the main credit for this, since he wrote it, and also the docker > image and the amazing auditwheel tool linked below, but he asked me to > do the honors of posting it :-). Very nice! Do you have a link to the text file version of that? I can assign it a number and add it to the PEPs repo. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From rmcgibbo at gmail.com Thu Jan 21 01:39:31 2016 From: rmcgibbo at gmail.com (Robert McGibbon) Date: Wed, 20 Jan 2016 22:39:31 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: Hi Nick, The text version is here: https://raw.githubusercontent.com/manylinux/manylinux/master/pep-XXXX.rst -Robert On Wed, Jan 20, 2016 at 10:17 PM, Nick Coghlan wrote: > On 21 January 2016 at 13:55, Nathaniel Smith wrote: > > Hi all, > > > > Here's a first draft of a PEP for the manylinux1 platform tag > > mentioned earlier, posted for feedback. Really Robert McGibbon should > > get the main credit for this, since he wrote it, and also the docker > > image and the amazing auditwheel tool linked below, but he asked me to > > do the honors of posting it :-). > > Very nice! > > Do you have a link to the text file version of that? I can assign it a > number and add it to the PEPs repo. > > Cheers, > Nick. > > -- > Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Thu Jan 21 01:50:43 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 16:50:43 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On 21 January 2016 at 16:39, Robert McGibbon wrote: > Hi Nick, > > The text version is here: > https://raw.githubusercontent.com/manylinux/manylinux/master/pep-XXXX.rst Thanks - this is now PEP 513: https://www.python.org/dev/peps/pep-0513/ (404 response caching on the site is being its usual annoying self, but that will sort itself out before too long) In addition to assigning the PEP number, I also set the BDFL-Delegate field (to me), fixed the PEP type (Process -> Informational) and set the Discussions-To header (distutils-sig), so if you could copy those changes back into your working copy, that would be great. In terms of the content, it all looks reasonable to me personally, but we'll wait and see what everyone else has to say (especially the PyPI and pip developers). Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From ncoghlan at gmail.com Thu Jan 21 01:51:38 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 16:51:38 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On 21 January 2016 at 16:50, Nick Coghlan wrote: > On 21 January 2016 at 16:39, Robert McGibbon wrote: >> Hi Nick, >> >> The text version is here: >> https://raw.githubusercontent.com/manylinux/manylinux/master/pep-XXXX.rst > > Thanks - this is now PEP 513: > https://www.python.org/dev/peps/pep-0513/ (404 response caching on the > site is being its usual annoying self, but that will sort itself out > before too long) Apparently this is the "between writing that and hitting send" variant of "before too long" :) Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From mal at egenix.com Thu Jan 21 04:03:27 2016 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 21 Jan 2016 10:03:27 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: <56A09EDF.3000500@egenix.com> Robert McGibbon: Thanks for writing up this PEP :-) Some comments below... On 21.01.2016 04:55, Nathaniel Smith wrote: > The ``manylinux1`` policy > ========================= > > For these reasons, to achieve broad portability, Python wheels > > * should depend only on an extremely limited set of external shared > libraries; and > * should depend only on ``old`` symbol versions in those external shared > libraries. > > The ``manylinux1`` policy thus encompasses a standard for what the > permitted external shared libraries a wheel may depend on, and the maximum > depended-upon symbol versions therein. > > The permitted external shared libraries are: :: > > libpanelw.so.5 > libncursesw.so.5 > libgcc_s.so.1 > libstdc++.so.6 > libm.so.6 > libdl.so.2 > librt.so.1 > libcrypt.so.1 > libc.so.6 > libnsl.so.1 > libutil.so.1 > libpthread.so.0 > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libICE.so.6 > libSM.so.6 > libGL.so.1 > libgobject-2.0.so.0 > libgthread-2.0.so.0 > libglib-2.0.so.0 The list is good start, but limiting the possible external references to only these libraries will make it impossible to have manylinux1 wheels which link against other, similarly old, but very common libraries, or alternatively rather new ones, which are then optionally included via subpackage instead of being mandatory. At eGenix we have been tackling this problem for years with our extensions and the approach that's been the most successful was to simply use Linux build systems which are at least 5 years old. In our case, that's openSUSE 11.3. I think a better approach is to use the above list to test for used library *versions* and then apply the tag based on the findings. If a package includes binaries which link to e.g. later libc.so versions, it would be rejected. If it includes other libraries not listed in the above listing, that's fine, as long as these libraries also comply to the version limitation. What I'm getting at here is that incompatibilities are not caused by libraries being absent on the system (the package simply won't load, but that's not due to the the package being incompatible to the platform, only due to the system lacking a few packages), but instead by having the packages use more recent versions of these system libraries. > Compilation and Tooling > ======================= > > To support the compilation of wheels meeting the ``manylinux1`` standard, we > provide initial drafts of two tools. > > The first is a Docker image based on CentOS 5.11, which is recommended as an > easy to use self-contained build box for compiling ``manylinux1`` wheels [4]_. > Compiling on a more recently-released linux distribution will generally > introduce dependencies on too-new versioned symbols. The image comes with a > full compiler suite installed (``gcc``, ``g++``, and ``gfortran`` 4.8.2) as > well as the latest releases of Python and pip. > > The second tool is a command line executable called ``auditwheel`` [5]_. First, > it inspects all of the ELF files inside a wheel to check for dependencies on > versioned symbols or external shared libraries, and verifies conformance with > the ``manylinux1`` policy. This includes the ability to add the new platform > tag to conforming wheels. > > In addition, ``auditwheel`` has the ability to automatically modify wheels that > depend on external shared libraries by copying those shared libraries from > the system into the wheel itself, and modifying the appropriate RPATH entries > such that these libraries will be picked up at runtime. This accomplishes a > similar result as if the libraries had been statically linked without requiring > changes to the build system. This approach has a few problems: * Libraries typically depend on a lot more context than just the code that is provided in the libraries file, e.g. config files, external resources, other libraries which are loaded on demand, etc. * By including the libraries in the wheel you are distributing the binary, which can lead to licensing problems, esp. with GPLed or LGPLed code. > Neither of these tools are necessary to build wheels which conform with the > ``manylinux1`` policy. Similar results can usually be achieved by statically > linking external dependencies and/or using certain inline assembly constructs > to instruct the linker to prefer older symbol versions, however these tricks > can be quite esoteric. Static linking only helps in very few cases, where the context needed for the external library to work is minimal. > Platform Detection for Installers > ================================= > > Because the ``manylinux1`` profile is already known to work for the many > thousands of users of popular commercial Python distributions, we suggest that > installation tools like ``pip`` should error on the side of assuming that a > system *is* compatible, unless there is specific reason to think otherwise. > > We know of three main sources of potential incompatibility that are likely to > arise in practice: > > * A linux distribution that is too old (e.g. RHEL 4) > * A linux distribution that does not use glibc (e.g. Alpine Linux, which is > based on musl libc, or Android) > * Eventually, in the future, there may exist distributions that break > compatibility with this profile > > To handle the first two cases, we propose the following simple and reliable > check: :: > def have_glibc_version(major, minimum_minor): > [...] It would be better to use platform.libc_ver() for this. > ``manylinux1`` wheels distributed through PyPI that bundle security-critical > libraries like OpenSSL will thus assume responsibility for prompt updates in > response disclosed vulnerabilities and patches. This closely parallels the > security implications of the distribution of binary wheels on Windows that, > because the platform lacks a system package manager, generally bundle their > dependencies. In particular, because its lacks a stable ABI, OpenSSL cannot be > included in the ``manylinux1`` profile. The OpenSSL ABI has been quite stable in recent years (unlike in the days of 0.9.7 and earlier). Since many libraries do link against OpenSSL (basically everything that uses network connections nowadays), using the fixed scheme outlined in the PEP would severely limited the usefulness. By using the version based approach, we'd not run into this problem and gain a lot more. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 21 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ From rmcgibbo at gmail.com Thu Jan 21 04:27:09 2016 From: rmcgibbo at gmail.com (Robert McGibbon) Date: Thu, 21 Jan 2016 01:27:09 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A09EDF.3000500@egenix.com> References: <56A09EDF.3000500@egenix.com> Message-ID: After I posted the PEP link on social media, a friend of mine, Kyle Beauchamp, asked: "I wonder if there are speed and correctness implications to always reverting to the lowest common denominator of glibc." For speed, I believe there is some consequence, in that the maximum gcc version you can realistically use with glibc <= 2.5 is gcc 4.8.2, which is presumably somewhat (although not much) slower than the latest gcc release. As to correctness, it seems like a reasonable concern, and I don't know one way or the other. I thought maybe someone on the list would know. There are also potential compatibility issues in wheels that use certain instruction set extensions (SSE 4, AVX, etc) that might not be available on certain platforms. I think policies on this issue are better left up to individual packages than set at a PEP-wide level, but it also may be worth talking about. -Robert On Thu, Jan 21, 2016 at 1:03 AM, M.-A. Lemburg wrote: > > Robert McGibbon: Thanks for writing up this PEP :-) > > Some comments below... > > On 21.01.2016 04:55, Nathaniel Smith wrote: > > The ``manylinux1`` policy > > ========================= > > > > For these reasons, to achieve broad portability, Python wheels > > > > * should depend only on an extremely limited set of external shared > > libraries; and > > * should depend only on ``old`` symbol versions in those external shared > > libraries. > > > > The ``manylinux1`` policy thus encompasses a standard for what the > > permitted external shared libraries a wheel may depend on, and the > maximum > > depended-upon symbol versions therein. > > > > The permitted external shared libraries are: :: > > > > libpanelw.so.5 > > libncursesw.so.5 > > libgcc_s.so.1 > > libstdc++.so.6 > > libm.so.6 > > libdl.so.2 > > librt.so.1 > > libcrypt.so.1 > > libc.so.6 > > libnsl.so.1 > > libutil.so.1 > > libpthread.so.0 > > libX11.so.6 > > libXext.so.6 > > libXrender.so.1 > > libICE.so.6 > > libSM.so.6 > > libGL.so.1 > > libgobject-2.0.so.0 > > libgthread-2.0.so.0 > > libglib-2.0.so.0 > > The list is good start, but limiting the possible external > references to only these libraries will make it impossible > to have manylinux1 wheels which link against other, similarly > old, but very common libraries, or alternatively rather > new ones, which are then optionally included via subpackage > instead of being mandatory. > > At eGenix we have been tackling this problem for years with > our extensions and the approach that's been the most > successful was to simply use Linux build systems which > are at least 5 years old. In our case, that's openSUSE 11.3. > > I think a better approach is to use the above list to > test for used library *versions* and then apply the tag > based on the findings. > > If a package includes binaries which link to e.g. > later libc.so versions, it would be rejected. If it > includes other libraries not listed in the above listing, > that's fine, as long as these libraries also comply to > the version limitation. > > What I'm getting at here is that incompatibilities are > not caused by libraries being absent on the system > (the package simply won't load, but that's not due to the > the package being incompatible to the platform, only due > to the system lacking a few packages), but instead by > having the packages use more recent versions of these > system libraries. > > > Compilation and Tooling > > ======================= > > > > To support the compilation of wheels meeting the ``manylinux1`` > standard, we > > provide initial drafts of two tools. > > > > The first is a Docker image based on CentOS 5.11, which is recommended > as an > > easy to use self-contained build box for compiling ``manylinux1`` wheels > [4]_. > > Compiling on a more recently-released linux distribution will generally > > introduce dependencies on too-new versioned symbols. The image comes > with a > > full compiler suite installed (``gcc``, ``g++``, and ``gfortran`` 4.8.2) > as > > well as the latest releases of Python and pip. > > > > The second tool is a command line executable called ``auditwheel`` [5]_. > First, > > it inspects all of the ELF files inside a wheel to check for > dependencies on > > versioned symbols or external shared libraries, and verifies conformance > with > > the ``manylinux1`` policy. This includes the ability to add the new > platform > > tag to conforming wheels. > > > > In addition, ``auditwheel`` has the ability to automatically modify > wheels that > > depend on external shared libraries by copying those shared libraries > from > > the system into the wheel itself, and modifying the appropriate RPATH > entries > > such that these libraries will be picked up at runtime. This > accomplishes a > > similar result as if the libraries had been statically linked without > requiring > > changes to the build system. > > This approach has a few problems: > > * Libraries typically depend on a lot more context than just > the code that is provided in the libraries file, e.g. config > files, external resources, other libraries which are loaded > on demand, etc. > > * By including the libraries in the wheel you are distributing > the binary, which can lead to licensing problems, esp. with > GPLed or LGPLed code. > > > Neither of these tools are necessary to build wheels which conform with > the > > ``manylinux1`` policy. Similar results can usually be achieved by > statically > > linking external dependencies and/or using certain inline assembly > constructs > > to instruct the linker to prefer older symbol versions, however these > tricks > > can be quite esoteric. > > Static linking only helps in very few cases, where the context > needed for the external library to work is minimal. > > > Platform Detection for Installers > > ================================= > > > > Because the ``manylinux1`` profile is already known to work for the many > > thousands of users of popular commercial Python distributions, we > suggest that > > installation tools like ``pip`` should error on the side of assuming > that a > > system *is* compatible, unless there is specific reason to think > otherwise. > > > > We know of three main sources of potential incompatibility that are > likely to > > arise in practice: > > > > * A linux distribution that is too old (e.g. RHEL 4) > > * A linux distribution that does not use glibc (e.g. Alpine Linux, which > is > > based on musl libc, or Android) > > * Eventually, in the future, there may exist distributions that break > > compatibility with this profile > > > > To handle the first two cases, we propose the following simple and > reliable > > check: :: > > def have_glibc_version(major, minimum_minor): > > [...] > > It would be better to use platform.libc_ver() for this. > > > ``manylinux1`` wheels distributed through PyPI that bundle > security-critical > > libraries like OpenSSL will thus assume responsibility for prompt > updates in > > response disclosed vulnerabilities and patches. This closely parallels > the > > security implications of the distribution of binary wheels on Windows > that, > > because the platform lacks a system package manager, generally bundle > their > > dependencies. In particular, because its lacks a stable ABI, OpenSSL > cannot be > > included in the ``manylinux1`` profile. > > The OpenSSL ABI has been quite stable in recent years (unlike in the > days of 0.9.7 and earlier). > > Since many libraries do link against OpenSSL (basically everything > that uses network connections nowadays), using the fixed scheme > outlined in the PEP would severely limited the usefulness. > > By using the version based approach, we'd not run into this > problem and gain a lot more. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Experts (#1, Jan 21 2016) > >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ > >>> Python Database Interfaces ... http://products.egenix.com/ > >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ > ________________________________________________________________________ > > ::: We implement business ideas - efficiently in both time and costs ::: > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > http://www.malemburg.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Thu Jan 21 04:31:16 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 19:31:16 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A09EDF.3000500@egenix.com> References: <56A09EDF.3000500@egenix.com> Message-ID: On 21 January 2016 at 19:03, M.-A. Lemburg wrote: > By using the version based approach, we'd not run into this > problem and gain a lot more. I think it's better to start with a small core that we *know* works, then expand later, rather than trying to make the first iteration too wide. The "manylinux1" tag itself is versioned (hence the "1" at the end), so "manylinux2" may simply have *more* libraries defined, rather than newer ones. The key is that we only have one chance to make a good first impression with binary Linux wheel support on PyPI, and we want that to be positive for everyone: * for publishers, going from "no Linux wheels" to "Linux wheels if you have few external dependencies beyond glibc" is a big step up (it's enough for a Cython accelerator module, for example, or a cffi wrapper around a bundled library) * for end users, we need to nigh certain that wheels built this way will *just work* Even with a small starting list of libraries defined, we're going to end up with cases where the installed extension module will fail to load, and end users will have to figure out what dependencies are missing. The "external dependency specification" at https://github.com/pypa/interoperability-peps/pull/30 would let pip detect that at install time (rather the user finding out at runtime when the module fails to load), but that will still leave the end user to figure out how to get the external dependencies installed. If Donald can provide the list of "most downloaded wheel files" for other platforms, that could also be a useful guide as to how many source builds may potentially already be avoided through the draft "manylinux1" definition. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From rmcgibbo at gmail.com Thu Jan 21 04:57:50 2016 From: rmcgibbo at gmail.com (Robert McGibbon) Date: Thu, 21 Jan 2016 01:57:50 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> Message-ID: On Thu, Jan 21, 2016 at 1:31 AM, Nick Coghlan wrote: > > I think it's better to start with a small core that we *know* works, > then expand later, rather than trying to make the first iteration too > wide. The "manylinux1" tag itself is versioned (hence the "1" at the > end), so "manylinux2" may simply have *more* libraries defined, rather > than newer ones. > > The key is that we only have one chance to make a good first > impression with binary Linux wheel support on PyPI, and we want that > to be positive for everyone: > > * for publishers, going from "no Linux wheels" to "Linux wheels if you > have few external dependencies beyond glibc" is a big step up (it's > enough for a Cython accelerator module, for example, or a cffi wrapper > around a bundled library) > * for end users, we need to nigh certain that wheels built this way > will *just work* > In general, I see a tension between permissiveness and flexibility in the policy here, with good arguments on both sides. A restrictive policy (like the one we propose) will keep some wheels off PyPI that would work just fine on most Linux boxes. But it will also ensure that fewer broken packages are uploaded. In my opinion, the packaging system we have currently works pretty well. Adopting a loose policy could therefore be experienced as a regression for users who type ``pip install ` and receive a broken binary wheel. This is one of the reasons we thought that it would be safest to start small and work incrementally. -Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmcgibbo at gmail.com Thu Jan 21 05:02:57 2016 From: rmcgibbo at gmail.com (Robert McGibbon) Date: Thu, 21 Jan 2016 02:02:57 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com>

Message-ID: Another wrinkle: it also should be possible, I think, for wheels to include binaries that are linked against shared libraries that are provided by other wheels (that are part of the install_requires), but I haven't thought much about this. I know Nathaniel has been thinking about this type of thing for a separate BLAS wheel package that, for example, numpy could depend on. I assume that this type of thing should be kosher within the manylinux1 policy, although the text of the draft PEP does not definitely address it. -Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From mal at egenix.com Thu Jan 21 05:05:42 2016 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 21 Jan 2016 11:05:42 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> Message-ID: <56A0AD76.7090107@egenix.com> On 21.01.2016 10:31, Nick Coghlan wrote: > On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >> By using the version based approach, we'd not run into this >> problem and gain a lot more. > > I think it's better to start with a small core that we *know* works, > then expand later, rather than trying to make the first iteration too > wide. The "manylinux1" tag itself is versioned (hence the "1" at the > end), so "manylinux2" may simply have *more* libraries defined, rather > than newer ones. My argument is that the file based approach taken by the PEP is too limiting to actually make things work for a large set of Python packages. It will basically only work for packages that do not interface to other external libraries (except for the few cases listed in the PEP, e.g. X11, GL, which aren't always installed or available either). IMO, testing the versions of a set of libraries is a safer approach. It's perfectly fine to have a few dependencies not work in a module because an optional system package is not installed, e.g. say a package comes with UIs written in Qt and one in GTK. pip could then warn about missing dependencies in the installed packages. Another detail we have found when external dependencies is that some platforms use different names for the libraries, e.g. RedHat has a tendency to use non-standard OpenSSL library names (/lib64/libssl.so.10 instead of the more common libssl.so.1.0.0). > The key is that we only have one chance to make a good first > impression with binary Linux wheel support on PyPI, and we want that > to be positive for everyone: Sure, but if we get the concept wrong, it'll be difficult to switch later on and since there will always be libs not in the set, we'll need to address this in some way. > * for publishers, going from "no Linux wheels" to "Linux wheels if you > have few external dependencies beyond glibc" is a big step up (it's > enough for a Cython accelerator module, for example, or a cffi wrapper > around a bundled library) > * for end users, we need to nigh certain that wheels built this way > will *just work* > > Even with a small starting list of libraries defined, we're going to > end up with cases where the installed extension module will fail to > load, and end users will have to figure out what dependencies are > missing. The "external dependency specification" at > https://github.com/pypa/interoperability-peps/pull/30 would let pip > detect that at install time (rather the user finding out at runtime > when the module fails to load), but that will still leave the end user > to figure out how to get the external dependencies installed. > > If Donald can provide the list of "most downloaded wheel files" for > other platforms, that could also be a useful guide as to how many > source builds may potentially already be avoided through the draft > "manylinux1" definition. I still believe that installers are in a better position to decide which binary files to install based on the findings on the installation system. This is why we are using a more flexible tag system in our prebuilt format: http://www.egenix.com/library/presentations/PyCon-UK-2014-Python-Web-Installer/ In essence, the installer knows which files are available and can then analyze the installation system to pick the right binary. Tags can be added as necessary to address all the different dimensions that need testing, e.g. whether the binary runs on a Raspi2 or only a Raspi1. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 21 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ From ncoghlan at gmail.com Thu Jan 21 05:11:10 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 20:11:10 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A0AD76.7090107@egenix.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: On 21 January 2016 at 20:05, M.-A. Lemburg wrote: > On 21.01.2016 10:31, Nick Coghlan wrote: >> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>> By using the version based approach, we'd not run into this >>> problem and gain a lot more. >> >> I think it's better to start with a small core that we *know* works, >> then expand later, rather than trying to make the first iteration too >> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >> end), so "manylinux2" may simply have *more* libraries defined, rather >> than newer ones. > > My argument is that the file based approach taken by the PEP > is too limiting to actually make things work for a large > set of Python packages. > > It will basically only work for packages that do not interface > to other external libraries (except for the few cases listed in > the PEP, e.g. X11, GL, which aren't always installed or > available either). > > IMO, testing the versions of a set of libraries is a safer > approach. I still don't really understand what you mean by "testing the versions of a set of libraries", but if you have the time available to propose a competing PEP, that always leads to a stronger result than when we only have only proposed approach to consider. Regards, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From mal at egenix.com Thu Jan 21 06:06:34 2016 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 21 Jan 2016 12:06:34 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: <56A0BBBA.3050603@egenix.com> On 21.01.2016 11:11, Nick Coghlan wrote: > On 21 January 2016 at 20:05, M.-A. Lemburg wrote: >> On 21.01.2016 10:31, Nick Coghlan wrote: >>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>> By using the version based approach, we'd not run into this >>>> problem and gain a lot more. >>> >>> I think it's better to start with a small core that we *know* works, >>> then expand later, rather than trying to make the first iteration too >>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>> end), so "manylinux2" may simply have *more* libraries defined, rather >>> than newer ones. >> >> My argument is that the file based approach taken by the PEP >> is too limiting to actually make things work for a large >> set of Python packages. >> >> It will basically only work for packages that do not interface >> to other external libraries (except for the few cases listed in >> the PEP, e.g. X11, GL, which aren't always installed or >> available either). >> >> IMO, testing the versions of a set of libraries is a safer >> approach. > > I still don't really understand what you mean by "testing the versions > of a set of libraries", but if you have the time available to propose > a competing PEP, that always leads to a stronger result than when we > only have only proposed approach to consider. I think the PEP is fine as it is, just the restriction to test for the library file names is something that would need to be changed to implement the different approach: """ For these reasons, we define a set of library versions that are supported by a wide range of Linux distributions. We therefore pick library versions which have been around for at least 5 years. When using these external libraries, Python wheels should only depend on library versions listed in the section below. Python wheels are free to depend on additional libraries not included in this set, however, care should be taken that these additional libraries do not depend on later versions of the listed libraries, e.g. OpenSSL libraries compiled against the C library versions listed below. The ``manylinux1`` policy thus encompasses a standard for which versions of these external shared libraries a wheel may depend on, and the maximum depended-upon symbol versions therein. Future versions of the manylinux policy may include more libraries, or move on to later versions. The permitted external shared libraries and versions for ``manylinux1``are: :: libpanelw.so.5 libncursesw.so.5 libgcc_s.so.1 libstdc++.so.6 ... """ This will still lead to cases where a package doesn't work because of missing system packages, but at least they won't fail due to mismatch in basic C library versions, which is the most problematic case for users. The PEP will also have to address to problems introduced by versioned symbols in more recent Linux shared libs: even though the library file names have not changed, they may well include different support levels for the various APIs, e.g. glibc 2.1, 2.2, 2.3, etc. For our binaries, we have chosen to use a system where this versioning has not yet been enabled for system libs. We did this because we found using a library compiled against a versioned lib on a system which comes with an unversioned lib causes warnings to be issued. For openSUSE the change was applied between the 11.3 and 11.4 releases. Some references which show case the problem: - ? http://stackoverflow.com/questions/137773/what-does-the-no-version-information-available-error-from-linux-dynamic-linker/156387#156387 - ? http://superuser.com/questions/305055/how-to-diagnosis-and-resolve-usr-lib64-libz-so-1-no-version-information-avail - ? http://forums.opensuse.org/english/get-technical-help-here/applications/466547-google-chrome-issues.html -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 21 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ From leorochael at gmail.com Thu Jan 21 08:30:05 2016 From: leorochael at gmail.com (Leonardo Rochael Almeida) Date: Thu, 21 Jan 2016 11:30:05 -0200 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: Hi Nathaniel and Robert, This is a really nice proposal. I would only like to see added to this proposal (or another one) that new versions of installers should offer an option to opt in or out of binary packages from specific sources. Right now pip has the switches: - --no-binary - --only-binary These switches (dis)allow downloading binaries for specific packages. I think it would be nice to have the following options as well: - --no-binary-from - --only-binary-from This way I could block binaries from PyPI but allow from my private index where they were compiled with my favorite compiler or on the closest platform possible to my production, or with my favorite compilation flags present in the environment. As Robert quoted, the "speed and correctness implications to always reverting to the lowest common denominator of glibc." will result in some deployments preferring to set up their own indexes or "find-links" repositories for storing optimized binary packages while allowing PyPI to provide the rest. Alternatively, the `` specification above could be expanded to allow not only specifying package names, but package names with their respective sources. Regards, Leo -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Thu Jan 21 08:39:48 2016 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 21 Jan 2016 23:39:48 +1000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: On 21 January 2016 at 23:30, Leonardo Rochael Almeida wrote: > I think it would be nice to have the following options as well: > > --no-binary-from > --only-binary-from > > This way I could block binaries from PyPI but allow from my private index > where they were compiled with my favorite compiler or on the closest > platform possible to my production, or with my favorite compilation flags > present in the environment. I quite like that idea, but I don't think it needs to be linked to the PEP - it can just be an enhancement request for pip (It applies just as much to other platforms as it does Linux, and even for Linux, private indices can already be used to host prebuilt Linux binaries). Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From John-Whitlock at ieee.org Thu Jan 21 09:39:46 2016 From: John-Whitlock at ieee.org (John Whitlock) Date: Thu, 21 Jan 2016 08:39:46 -0600 Subject: [Distutils] Package classifiers - both major and minor Python versions? Message-ID: A discussion about the Python language classifiers came up in a pull request [1], and I couldn't find a definite answer. The question is - should a packager specify the major Python versions, minor Python versions, or both? The Python Packaging User Guide's example [2] has both: # Specify the Python versions you support here. In particular, ensure # that you indicate whether you support Python 2, Python 3 or both. 'Programming Language :: Python :: 2', 'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3.2', 'Programming Language :: Python :: 3.3', 'Programming Language :: Python :: 3.4', In the example, 'Programming Language :: Python :: 2' is a major version, and 'Programming Language :: Python :: 2.7' is a minor version. pyroma [3], which I use as a packaging linter, has insisted on both the major and minor versions since the first release in 2011 [4]. These were added in 2008, but the announcement on this mailing list didn't include guidance on usage [5]. I can't find any guidance in PEPs either. Thanks for your advice, John Whitlock [1] https://github.com/zheller/flake8-quotes/pull/14/files#r50356768 [2] https://python-packaging-user-guide.readthedocs.org/en/latest/distributing/#classifiers [3] https://bitbucket.org/regebro/pyroma [4] https://bitbucket.org/regebro/pyroma/src/9addf825bc8fc3deaf09e724a16cb98b35c53c76/pyroma/tests.py?fileviewer=file-view-default [5] https://mail.python.org/pipermail/distutils-sig/2008-October/010419.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 21 11:13:12 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 08:13:12 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A0AD76.7090107@egenix.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: On Jan 21, 2016 2:07 AM, "M.-A. Lemburg" wrote: > > On 21.01.2016 10:31, Nick Coghlan wrote: > > On 21 January 2016 at 19:03, M.-A. Lemburg wrote: > >> By using the version based approach, we'd not run into this > >> problem and gain a lot more. > > > > I think it's better to start with a small core that we *know* works, > > then expand later, rather than trying to make the first iteration too > > wide. The "manylinux1" tag itself is versioned (hence the "1" at the > > end), so "manylinux2" may simply have *more* libraries defined, rather > > than newer ones. > > My argument is that the file based approach taken by the PEP > is too limiting to actually make things work for a large > set of Python packages. > > It will basically only work for packages that do not interface > to other external libraries (except for the few cases listed in > the PEP, e.g. X11, GL, which aren't always installed or > available either). The list of allowed libraries is exactly the same list of libraries as are required by the Anaconda python distribution, so we *know* that it works for about a hundred different python packages, including lots of tricky ones (the whole scientific stack), and had been tested by tens or hundreds of thousands of users. (I posted a link above to some actual working, compliant pyside and numpy packages, which we picked for testing because they're particular interesting/difficult packages that need to interface to external libraries.) Yes, various extra tricks are needed to get things working on top of this base, including strategies for shipping libraries that are not in the baseline set, but these are problems that can be solved on a project-by-project basis, and don't need a PEP. [...] > Another detail we have found when external dependencies > is that some platforms use different names for the libraries, > e.g. RedHat has a tendency to use non-standard OpenSSL > library names (/lib64/libssl.so.10 instead of the more > common libssl.so.1.0.0). > > > The key is that we only have one chance to make a good first > > impression with binary Linux wheel support on PyPI, and we want that > > to be positive for everyone: > > Sure, but if we get the concept wrong, it'll be difficult > to switch later on and since there will always be libs not in the > set, we'll need to address this in some way. There's no lock-in here -- any alternative approach just needs its own platform tag. Pypi and pip can easily support multiple such tags at the same time, if more sophisticated proposals arise in the future. In the mean time, for packagers targeting manylinux is at least as easy as targeting windows (which also provides very few libraries "for free"). -n -------------- next part -------------- An HTML attachment was scrubbed... URL: From mal at egenix.com Thu Jan 21 11:53:13 2016 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 21 Jan 2016 17:53:13 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: <56A10CF9.8070801@egenix.com> On 21.01.2016 17:13, Nathaniel Smith wrote: > On Jan 21, 2016 2:07 AM, "M.-A. Lemburg" wrote: >> >> On 21.01.2016 10:31, Nick Coghlan wrote: >>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>> By using the version based approach, we'd not run into this >>>> problem and gain a lot more. >>> >>> I think it's better to start with a small core that we *know* works, >>> then expand later, rather than trying to make the first iteration too >>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>> end), so "manylinux2" may simply have *more* libraries defined, rather >>> than newer ones. >> >> My argument is that the file based approach taken by the PEP >> is too limiting to actually make things work for a large >> set of Python packages. >> >> It will basically only work for packages that do not interface >> to other external libraries (except for the few cases listed in >> the PEP, e.g. X11, GL, which aren't always installed or >> available either). > > The list of allowed libraries is exactly the same list of libraries as are > required by the Anaconda python distribution, so we *know* that it works > for about a hundred different python packages, including lots of tricky > ones (the whole scientific stack), and had been tested by tens or hundreds > of thousands of users. (I posted a link above to some actual working, > compliant pyside and numpy packages, which we picked for testing because > they're particular interesting/difficult packages that need to interface to > external libraries.) Yes, various extra tricks are needed to get things > working on top of this base, including strategies for shipping libraries > that are not in the baseline set, but these are problems that can be solved > on a project-by-project basis, and don't need a PEP. And that's the problem: The set is limited to the needs of the scientific community and there to the users of one or two distributions only. It doesn't address needs of others that e.g. use Qt or GTK as basis for GUIs, people using OpenSSL for networking, people using ImageMagick for processing images, or type libs for type setting, or sound libs for doing sound processing, codec libs for video processing, etc. The idea to include the needed share libs in the wheel goes completely against the idea of relying on a system vendor to provide updates and security fixes. In some cases, this may be reasonable, but as design approach, it's not a good idea. > [...] >> Another detail we have found when external dependencies >> is that some platforms use different names for the libraries, >> e.g. RedHat has a tendency to use non-standard OpenSSL >> library names (/lib64/libssl.so.10 instead of the more >> common libssl.so.1.0.0). >> >>> The key is that we only have one chance to make a good first >>> impression with binary Linux wheel support on PyPI, and we want that >>> to be positive for everyone: >> >> Sure, but if we get the concept wrong, it'll be difficult >> to switch later on and since there will always be libs not in the >> set, we'll need to address this in some way. > > There's no lock-in here -- any alternative approach just needs its own > platform tag. Pypi and pip can easily support multiple such tags at the > same time, if more sophisticated proposals arise in the future. In the mean > time, for packagers targeting manylinux is at least as easy as targeting > windows (which also provides very few libraries "for free"). Yes, there's no lock-in, there's lock-out :-) We'd simply not allow people who have other requirements to upload Linux wheels to PyPI and that's not really acceptable. Right now, no one can upload Linux wheels, so that a fair setup. Using an approach where every single group first has to write a PEP, get it accepted and have PyPI and pip patched before they can upload wheels to PyPI does not read like a community friendly approach. I also can't imagine that we really want proliferation of "linux" tags for various purposes or even for various versions of library catalogs. What we need is a system that provides a few dimensions for various system specific differences (e.g. bitness, architecture) and a recommendation for library versions of a few very basic libraries to use when compiling for those systems. I believe the PEP is almost there, it just needs to use a slightly different concept, since limiting the set of allowed libraries does not provide the basis of an open system which PyPI/pip/wheels need to be. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 21 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ From donald at stufft.io Thu Jan 21 12:18:59 2016 From: donald at stufft.io (Donald Stufft) Date: Thu, 21 Jan 2016 12:18:59 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> Message-ID: <9F10A851-ED9B-4C6C-A116-61017E468D78@stufft.io> > On Jan 21, 2016, at 4:31 AM, Nick Coghlan wrote: > > If Donald can provide the list of "most downloaded wheel files" for > other platforms, that could also be a useful guide as to how many > source builds may potentially already be avoided through the draft > "manylinux1" definition. SELECT COUNT(*) AS downloads, file.filename FROM TABLE_DATE_RANGE( [long-stack-762:pypi.downloads], TIMESTAMP("20160114"), CURRENT_TIMESTAMP() ) WHERE file.type = 'bdist_wheel' AND NOT REGEXP_MATCH(file.filename, '^.*-none-any.whl$') GROUP BY file.filename ORDER BY downloads DESC LIMIT 1000 https://gist.github.com/dstufft/1dda9a9f87ee7121e0ee ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From donald at stufft.io Thu Jan 21 12:23:31 2016 From: donald at stufft.io (Donald Stufft) Date: Thu, 21 Jan 2016 12:23:31 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <9F10A851-ED9B-4C6C-A116-61017E468D78@stufft.io> References: <56A09EDF.3000500@egenix.com> <9F10A851-ED9B-4C6C-A116-61017E468D78@stufft.io> Message-ID: > On Jan 21, 2016, at 12:18 PM, Donald Stufft wrote: > > >> On Jan 21, 2016, at 4:31 AM, Nick Coghlan wrote: >> >> If Donald can provide the list of "most downloaded wheel files" for >> other platforms, that could also be a useful guide as to how many >> source builds may potentially already be avoided through the draft >> "manylinux1" definition. > Or https://gist.github.com/dstufft/ea8a95580b022b233635 if you prefer it grouped by project. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From donald at stufft.io Thu Jan 21 12:32:11 2016 From: donald at stufft.io (Donald Stufft) Date: Thu, 21 Jan 2016 12:32:11 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: > On Jan 20, 2016, at 10:55 PM, Nathaniel Smith wrote: > > The permitted external shared libraries are: :: > > libpanelw.so.5 > libncursesw.so.5 > libgcc_s.so.1 > libstdc++.so.6 > libm.so.6 > libdl.so.2 > librt.so.1 > libcrypt.so.1 > libc.so.6 > libnsl.so.1 > libutil.so.1 > libpthread.so.0 > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libICE.so.6 > libSM.so.6 > libGL.so.1 > libgobject-2.0.so.0 > libgthread-2.0.so.0 > libglib-2.0.so.0 Forgive my, probably stupid, question? but why these libraries? Are these libraries unable to be reasonably statically linked like glibc is? ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From brett at python.org Thu Jan 21 12:53:32 2016 From: brett at python.org (Brett Cannon) Date: Thu, 21 Jan 2016 17:53:32 +0000 Subject: [Distutils] Package classifiers - both major and minor Python versions? In-Reply-To: References: Message-ID: On Thu, 21 Jan 2016 at 06:48 John Whitlock wrote: > A discussion about the Python language classifiers came up in a pull > request [1], and I couldn't find a definite answer. The question is - > should a packager specify the major Python versions, minor Python versions, > or both? > > The Python Packaging User Guide's example [2] has both: > > # Specify the Python versions you support here. In particular, ensure > # that you indicate whether you support Python 2, Python 3 or both. > 'Programming Language :: Python :: 2', > 'Programming Language :: Python :: 2.6', > 'Programming Language :: Python :: 2.7', > 'Programming Language :: Python :: 3', > 'Programming Language :: Python :: 3.2', > 'Programming Language :: Python :: 3.3', > 'Programming Language :: Python :: 3.4', > > In the example, 'Programming Language :: Python :: 2' is a major version, > and 'Programming Language :: Python :: 2.7' is a minor version. > > pyroma [3], which I use as a packaging linter, has insisted on both the > major and minor versions since the first release in 2011 [4]. > > These were added in 2008, but the announcement on this mailing list didn't > include guidance on usage [5]. I can't find any guidance in PEPs either. > You should at least do the major versions, and if you are up for maintaining them, then do the minor ones as well. You want the major ones to tell people whether you even support Python 3 or not. Various tools like caniusepython3 rely on at least the major version classifier existing to programmatically know about Python 3 support. Minor support is good to let people know what versions you have tested against and officially support. This is especially useful right after a new version of Python is released as it lets people know whether you have tested against the new release yet or not. It also lets people know if you have dropped support for an older version of Python. -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 21 13:43:24 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 10:43:24 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: On Jan 21, 2016 9:32 AM, "Donald Stufft" wrote: > > > > On Jan 20, 2016, at 10:55 PM, Nathaniel Smith wrote: > > > > The permitted external shared libraries are: :: > > > > libpanelw.so.5 > > libncursesw.so.5 > > libgcc_s.so.1 > > libstdc++.so.6 > > libm.so.6 > > libdl.so.2 > > librt.so.1 > > libcrypt.so.1 > > libc.so.6 > > libnsl.so.1 > > libutil.so.1 > > libpthread.so.0 > > libX11.so.6 > > libXext.so.6 > > libXrender.so.1 > > libICE.so.6 > > libSM.so.6 > > libGL.so.1 > > libgobject-2.0.so.0 > > libgthread-2.0.so.0 > > libglib-2.0.so.0 > > > Forgive my, probably stupid, question? but why these libraries? Are these > libraries unable to be reasonably statically linked like glibc is? It's not a stupid question at all :-). What we want is a list of libraries that are present, and compatible, and relevant, across the Linux distributions that most people use in practice. Unfortunately, there isn't really any formal specification or published data on this -- the only way to make such a list is to make a guess, start distributing software to lots of people based on your guess, wait for bug reports to come in, edit your list to avoid the problematic libraries, add some more libraries to your list to cover the new packages you've added to your distribution and where you think the risk is a worthwhile trade off versus just static linking, then repeat until you stop getting bug reports. This is expensive and time consuming and requires data we don't have, so we delegated: the list in the PEP is exactly the set of libraries that Continuum's Anaconda distribution links to and a subset of the libraries that Enthought's Canopy links to [1]. They've both been going through the loop above for years, with lots of packages, and lots of lots of downloads, so we're piggybacking off their effort. Here's the list of packages in Anaconda: http://docs.continuum.io/anaconda/pkg-docs -n [1] why only a subset of Canopy's libraries? because when we analyzed the latest release of Canopy we found several weird libraries that we knew must be mistakes and being pulled in by code paths that were never used in practice, so we decided to be conservative about trusting their library list. We're in contact with their distribution folks and might add some more libraries to this list if they come back to us and assure us that those libraries have actually been tested. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmcgibbo at gmail.com Thu Jan 21 14:16:47 2016 From: rmcgibbo at gmail.com (Robert T. McGibbon) Date: Thu, 21 Jan 2016 11:16:47 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A10CF9.8070801@egenix.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A10CF9.8070801@egenix.com> Message-ID: On Thu, Jan 21, 2016 at 8:53 AM, M.-A. Lemburg wrote: > [...] > What we need is a system that provides a few dimensions > for various system specific differences (e.g. bitness, > architecture) and a recommendation for library > versions of a few very basic libraries to use when > compiling for those systems. > > I believe the PEP is almost there, it just needs to use a > slightly different concept, since limiting the set of > allowed libraries does not provide the basis of an open > system which PyPI/pip/wheels need to be. Sorry, I still don't think I quite understand. Is your position essentially that we should allow wheels to link against any system library included in (for example) stock openSUSE 11.5? Or that we should allow wheels to link against any library that can be installed into openSUSE 11.5 using `yum install `? -Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 21 14:37:06 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 11:37:06 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A10CF9.8070801@egenix.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A10CF9.8070801@egenix.com> Message-ID: On Jan 21, 2016 8:53 AM, "M.-A. Lemburg" wrote: > [...] > And that's the problem: The set is limited to the needs > of the scientific community and there to the users of > one or two distributions only. > > It doesn't address needs of others that e.g. use Qt or GTK as > basis for GUIs, people using OpenSSL for networking, people > using ImageMagick for processing images, or type libs for > type setting, or sound libs for doing sound processing, > codec libs for video processing, etc. I've pointed out several times now that our first test package was Qt bindings, and Glyph told us last week that this proposal is exactly how the cryptography package wants to handle their openssl dependency: https://www.mail-archive.com/distutils-sig at python.org/msg23506.html So this paragraph is just you making stuff up. Is manylinux1 the perfect panacea for every package? Probably not. In particular it's great for popular cross platform packages, because it works now and means they can basically reuse the work that they're already doing to make static windows and OSX wheels; it's less optimal for smaller Linux-specific packages that might prefer to take more than of Linux's unique package management functionality and only care about targeting one or two distros. > The idea to include the needed share libs in the wheel > goes completely against the idea of relying on a system > vendor to provide updates and security fixes. In some cases, > this may be reasonable, but as design approach, it's > not a good idea. > > > [...] > >> Another detail we have found when external dependencies > >> is that some platforms use different names for the libraries, > >> e.g. RedHat has a tendency to use non-standard OpenSSL > >> library names (/lib64/libssl.so.10 instead of the more > >> common libssl.so.1.0.0). > >> > >>> The key is that we only have one chance to make a good first > >>> impression with binary Linux wheel support on PyPI, and we want that > >>> to be positive for everyone: > >> > >> Sure, but if we get the concept wrong, it'll be difficult > >> to switch later on and since there will always be libs not in the > >> set, we'll need to address this in some way. > > > > There's no lock-in here -- any alternative approach just needs its own > > platform tag. Pypi and pip can easily support multiple such tags at the > > same time, if more sophisticated proposals arise in the future. In the mean > > time, for packagers targeting manylinux is at least as easy as targeting > > windows (which also provides very few libraries "for free"). > > Yes, there's no lock-in, there's lock-out :-) > > We'd simply not allow people who have other requirements to > upload Linux wheels to PyPI and that's not really acceptable. > > Right now, no one can upload Linux wheels, so that a fair > setup. The fairness that I'm more worried about is that right now Windows and OSX users get wheels, and Linux users don't. Feature parity across these platforms isn't everything, but it's a good start. > Using an approach where every single group first has to write > a PEP, get it accepted and have PyPI and pip patched before > they can upload wheels to PyPI does not read like a community > friendly approach. > > I also can't imagine that we really want proliferation of > "linux" tags for various purposes or even for various > versions of library catalogs. > > What we need is a system that provides a few dimensions > for various system specific differences (e.g. bitness, > architecture) and a recommendation for library > versions of a few very basic libraries to use when > compiling for those systems. > > I believe the PEP is almost there, it just needs to use a > slightly different concept, since limiting the set of > allowed libraries does not provide the basis of an open > system which PyPI/pip/wheels need to be. Like Nick, I'm still not sure what this "slightly different concept" you keep referring to is. -n -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris.barker at noaa.gov Thu Jan 21 14:42:57 2016 From: chris.barker at noaa.gov (Chris Barker) Date: Thu, 21 Jan 2016 11:42:57 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: nice, idea, but.... libX11.so.6 libXext.so.6 libXrender.so.1 libGL.so.1 These are all X11, yes? pretty much any workstation will have these, but in general, servers won't. Someone on this thread suggested that that's OK -- don't expect a GUI package to work on a linux box without a GUI. But some of these libs might get used for stuff like back-end rendering, etc, so would be expected to work on a headless box. I think Anaconda an Canopy have gotten away with this because both of their user bases are primarily desktop data analysis type of stuff -- not web services, web servers, etc. Then there is the "additional libs" problem. Again, Anaconda and Canopy can do this because they are providing those libs - lots of stuff you'd generally expect to be there in a typical *nix system stuff like libpng, libjpeg, who knows what they heck else. So without a plan to provide all that stuff -- I"m not sure of the utility of this -- how are you gong to get PIL/Pillow to work? statically link up the ying-yang? Not sure the linux world will take to that. Anyway, maybe we just need to try and see how it shakes out.... -Chris -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker at noaa.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris.barker at noaa.gov Thu Jan 21 14:54:24 2016 From: chris.barker at noaa.gov (Chris Barker) Date: Thu, 21 Jan 2016 11:54:24 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A10CF9.8070801@egenix.com> Message-ID: On Thu, Jan 21, 2016 at 11:37 AM, Nathaniel Smith wrote: > Glyph told us last week that this proposal is exactly how the > cryptography package wants to handle their openssl dependency: > https://www.mail-archive.com/distutils-sig at python.org/msg23506.html > > well, SSL is a pretty unique case -- there's one where controlling the version of the lib, and having it be recent it critical. We will have issues with all sorts of other "Pretty common, but can't count on it" libs. > Is manylinux1 the perfect panacea for every package? Probably not. In > particular it's great for popular cross platform packages, because it works > now and means they can basically reuse the work that > they're already doing to make static windows and OSX wheels; > except that static linking is a pain on LInux -- the toolchain really doesn't want you to do that :-) It's also not part of the culture. Windows is "working" because of Chris Gohlke's heroic efforts. OS-X is kind-of sort of working, because of Matthew Brett's also heroic efforts. But Anaconda and Canopy exist, and are popular, for a reason -- they solve a very real problem, and many linux is only solving a very small part of that problem -- the easy part. Maybe there will be a Gohlke-like figure that will step up and build statically linked wheels for all sorts of stuff -- but is that the end-game we want anyway? everyting statically linked? One plus -- with Docker and CI systems, it's getting pretty easy to set up a build sandbox that only has the manylinux libs on it -- so not too hard to automate and test your builds.... > The idea to include the needed share libs in the wheel > > goes completely against the idea of relying on a system > > vendor to provide updates and security fixes. In some cases, > > this may be reasonable, but as design approach, it's > > not a good idea. > Is this any different than static linking -- probably not. And that's pretty much what I mean by the culture os dynamic linking on Linux. On Windows, dll hell is such that we've all accepted that we're going to need to statically link and provide dlls. On OS-X, at least the base system is pretty well defined -- though I sure wish they'd supply more of what really should be basic libs. -CHB -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker at noaa.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmcgibbo at gmail.com Thu Jan 21 14:55:05 2016 From: rmcgibbo at gmail.com (Robert T. McGibbon) Date: Thu, 21 Jan 2016 11:55:05 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On Jan 21, 2016 11:43 AM, "Chris Barker" wrote: > > nice, idea, but.... > > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libGL.so.1 > > These are all X11, yes? pretty much any workstation will have these, but in general, servers won't. > > Someone on this thread suggested that that's OK -- don't expect a GUI package to work on a linux box without a GUI. But some of these libs might get used for stuff like back-end rendering, etc, so would be expected to work on a headless box. I think Anaconda an Canopy have gotten away with this because both of their user bases are primarily desktop data analysis type of stuff -- not web services, web servers, etc. I can only speak for myself and my team, but we use Anaconda on servers on a daily basis, including with libraries like matplotlib to generate images that are displayed over a web service. I believe this is a pretty common use case, especially with popular apps like Jupyter servers. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris.barker at noaa.gov Thu Jan 21 14:57:33 2016 From: chris.barker at noaa.gov (Chris Barker) Date: Thu, 21 Jan 2016 11:57:33 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: On Thu, Jan 21, 2016 at 11:48 AM, Matthew Brett wrote: > > So without a plan to provide all that stuff -- I"m not sure of the > utility > > of this -- how are you gong to get PIL/Pillow to work? statically link up > > the ying-yang? Not sure the linux world will take to that. > > That's exactly how the current OSX Pillow wheels work, and they've > been working fine for a while now. There just aren't that many > libraries to worry about for the vast majority of packages. > well, that was really intended to be only an example. And OS-X provides more basic libs than manylinux anyway (zlib, freetype, either png or jpeg, can't remember which). The library list got long enough to drive me crazy -- I guess you've got more patience than I have. Tried to build any OSGEO stuff lately? -CHB -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker at noaa.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From p.f.moore at gmail.com Thu Jan 21 14:58:15 2016 From: p.f.moore at gmail.com (Paul Moore) Date: Thu, 21 Jan 2016 19:58:15 +0000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A10CF9.8070801@egenix.com> Message-ID: On 21 January 2016 at 19:37, Nathaniel Smith wrote: >> Right now, no one can upload Linux wheels, so that a fair >> setup. > > The fairness that I'm more worried about is that right now Windows and OSX > users get wheels, and Linux users don't. Feature parity across these > platforms isn't everything, but it's a good start. 100% agreed. I don't use Linux, but as a Windows user, the fact that Linux users are excluded from using wheels saddens me because it means that without support for the large base of Linux users we still don't have a good binary distribution story. The story isn't perfect on Windows or OSX either. Let's not let a quest for perfection stand in the way of helping people get stuff done. >> Using an approach where every single group first has to write >> a PEP, get it accepted and have PyPI and pip patched before >> they can upload wheels to PyPI does not read like a community >> friendly approach. The valid Linux tags are defined in a pep, and coded in pip. But experience has shown that those tags are not a usable solution. Fixing that *requires* a PEP and a change to pip. There's no way round that. But equally, there's no reason we can't have more than one PEP/change. Just because someone has done the work and offered a PEP doesn't preclude anyone else doing so to. Contrariwise, if Nathaniel's PEP wasn't around, that wouldn't stop anyone with an alternative proposal from having to write a PEP. So I'm not sure what you're saying here. That the PEP process in general is not community friendly? That writing a PEP that turns out to be insufficient in one small area is somehow a huge issue for the community? That the wheel spec should never have been subject to the PEP process? That we should let people upload wheels with the insufficiently precise "linux" tag to PyPI and let the users sort out the resulting mess? OTOH, if you're suggesting that people might be put off proposing alternatives to the manylinux suggestion because of the grief Nathaniel is getting over what is (IMO) a practical, well-researched, and field tested suggestion, then you're possibly right. But the easiest way to fix that is to accept that it's a good proposal (possibly only an initial step, but that's fine) and approve it, rather than requiring it to be perfect (as opposed to merely significantly better than what we now have). FWIW, the proposal has a solid +1 from me. Paul From chris.barker at noaa.gov Thu Jan 21 14:59:33 2016 From: chris.barker at noaa.gov (Chris Barker) Date: Thu, 21 Jan 2016 11:59:33 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: > On Thu, Jan 21, 2016 at 11:55 AM, Robert T. McGibbon > wrote: > >> >> > These are all X11, yes? pretty much any workstation will have these, >> but in general, servers won't. >> > >> > Someone on this thread suggested that that's OK -- don't expect a GUI >> package to work on a linux box without a GUI. But some of these libs might >> get used for stuff like back-end rendering, etc, so would be expected to >> work on a headless box. I think Anaconda an Canopy have gotten away with >> this because both of their user bases are primarily desktop data analysis >> type of stuff -- not web services, web servers, etc. >> >> I can only speak for myself and my team, but we use Anaconda on servers >> on a daily basis, including with libraries like matplotlib to generate >> images that are displayed over a web service. >> >> I believe this is a pretty common use case, especially with popular apps >> like Jupyter servers. >> > yup -- and Bokeh -- getting more popular -- do you put X11 on your servers? > > -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker at noaa.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmcgibbo at gmail.com Thu Jan 21 15:02:44 2016 From: rmcgibbo at gmail.com (Robert T. McGibbon) Date: Thu, 21 Jan 2016 12:02:44 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A10CF9.8070801@egenix.com> Message-ID: On Jan 21, 2016 11:55 AM, "Chris Barker" wrote: > > On Thu, Jan 21, 2016 at 11:37 AM, Nathaniel Smith wrote: >> >> Glyph told us last week that this proposal is exactly how the cryptography package wants to handle their openssl dependency: https://www.mail-archive.com/distutils-sig at python.org/msg23506.html > > well, SSL is a pretty unique case -- there's one where controlling the version of the lib, and having it be recent it critical. > > We will have issues with all sorts of other "Pretty common, but can't count on it" libs. >> >> Is manylinux1 the perfect panacea for every package? Probably not. In particular it's great for popular cross platform packages, because it works now and means they can basically reuse the work that >> >> they're already doing to make static windows and OSX wheels; > > except that static linking is a pain on LInux -- the toolchain really doesn't want you to do that :-) It's also not part of the culture. > > Windows is "working" because of Chris Gohlke's heroic efforts. > > OS-X is kind-of sort of working, because of Matthew Brett's also heroic efforts. > > But Anaconda and Canopy exist, and are popular, for a reason -- they solve a very real problem, and many linux is only solving a very small part of that problem -- the easy part. > > Maybe there will be a Gohlke-like figure that will step up and build statically linked wheels for all sorts of stuff -- but is that the end-game we want anyway? everyting statically linked? > > One plus -- with Docker and CI systems, it's getting pretty easy to set up a build sandbox that only has the manylinux libs on it -- so not too hard to automate and test your builds.... > >> > The idea to include the needed share libs in the wheel >> > goes completely against the idea of relying on a system >> > vendor to provide updates and security fixes. In some cases, >> > this may be reasonable, but as design approach, it's >> > not a good idea. > > Is this any different than static linking -- probably not. And that's pretty much what I mean by the culture os dynamic linking on Linux. The difference between static linking and vendoring the shared libraries into the wheel using ``auditwheel repair`` is essentially just that the second option is much easier because it doesn't require modifications to the build system. Other than that, they're about the same. This is why Nathaniel was able to make a PySide wheel in 5 minutes. I don't think heroic efforts are really required. -------------- next part -------------- An HTML attachment was scrubbed... URL: From doko at ubuntu.com Thu Jan 21 14:54:49 2016 From: doko at ubuntu.com (Matthias Klose) Date: Thu, 21 Jan 2016 20:54:49 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: <56A13789.9050000@ubuntu.com> On 21.01.2016 17:13, Nathaniel Smith wrote: > On Jan 21, 2016 2:07 AM, "M.-A. Lemburg" wrote: >> >> On 21.01.2016 10:31, Nick Coghlan wrote: >>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>> By using the version based approach, we'd not run into this >>>> problem and gain a lot more. >>> >>> I think it's better to start with a small core that we *know* works, >>> then expand later, rather than trying to make the first iteration too >>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>> end), so "manylinux2" may simply have *more* libraries defined, rather >>> than newer ones. >> >> My argument is that the file based approach taken by the PEP >> is too limiting to actually make things work for a large >> set of Python packages. >> >> It will basically only work for packages that do not interface >> to other external libraries (except for the few cases listed in >> the PEP, e.g. X11, GL, which aren't always installed or >> available either). > > The list of allowed libraries is exactly the same list of libraries as are > required by the Anaconda python distribution, so we *know* that it works > for about a hundred different python packages, including lots of tricky > ones (the whole scientific stack), and had been tested by tens or hundreds > of thousands of users. so this is x86_64-linux-gnu. Any other architectures? Any reason to choose gcc 4.8.2 which is known for it's defects? This whole thing looks like an Anaconda marketing PEP ... Matthias From donald at stufft.io Thu Jan 21 15:08:24 2016 From: donald at stufft.io (Donald Stufft) Date: Thu, 21 Jan 2016 15:08:24 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: > On Jan 21, 2016, at 1:43 PM, Nathaniel Smith wrote: > > On Jan 21, 2016 9:32 AM, "Donald Stufft" > wrote: > > > > > > > On Jan 20, 2016, at 10:55 PM, Nathaniel Smith > wrote: > > > > > > The permitted external shared libraries are: :: > > > > > > libpanelw.so.5 > > > libncursesw.so.5 > > > libgcc_s.so.1 > > > libstdc++.so.6 > > > libm.so.6 > > > libdl.so.2 > > > librt.so.1 > > > libcrypt.so.1 > > > libc.so.6 > > > libnsl.so.1 > > > libutil.so.1 > > > libpthread.so.0 > > > libX11.so.6 > > > libXext.so.6 > > > libXrender.so.1 > > > libICE.so.6 > > > libSM.so.6 > > > libGL.so.1 > > > libgobject-2.0.so.0 > > > libgthread-2.0.so.0 > > > libglib-2.0.so.0 > > > > > > Forgive my, probably stupid, question? but why these libraries? Are these > > libraries unable to be reasonably statically linked like glibc is? > > It's not a stupid question at all :-). > > What we want is a list of libraries that are present, and compatible, and relevant, across the Linux distributions that most people use in practice. > > Unfortunately, there isn't really any formal specification or published data on this -- the only way to make such a list is to make a guess, start distributing software to lots of people based on your guess, wait for bug reports to come in, edit your list to avoid the problematic libraries, add some more libraries to your list to cover the new packages you've added to your distribution and where you think the risk is a worthwhile trade off versus just static linking, then repeat until you stop getting bug reports. > > This is expensive and time consuming and requires data we don't have, so we delegated: the list in the PEP is exactly the set of libraries that Continuum's Anaconda distribution links to and a subset of the libraries that Enthought's Canopy links to [1]. They've both been going through the loop above for years, with lots of packages, and lots of lots of downloads, so we're piggybacking off their effort. > > Here's the list of packages in Anaconda: > http://docs.continuum.io/anaconda/pkg-docs > I guess my underlying question is, if we?re considering static linking (or shipping the .so dll style) to be good enough for everything not on this list, why are these specific packages on the list? Why are we not selecting the absolute bare minimum packages that you *cannot* reasonably static link or ship the .so? ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rmcgibbo at gmail.com Thu Jan 21 15:11:56 2016 From: rmcgibbo at gmail.com (Robert T. McGibbon) Date: Thu, 21 Jan 2016 12:11:56 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A13789.9050000@ubuntu.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A13789.9050000@ubuntu.com> Message-ID: On Jan 21, 2016 12:04 PM, "Matthias Klose" wrote: > so this is x86_64-linux-gnu. Any other architectures? Any reason to choose gcc 4.8.2 which is known for it's defects? I'm not aware of those defects. Can you share more information? -Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 21 15:14:35 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 12:14:35 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A13789.9050000@ubuntu.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A13789.9050000@ubuntu.com> Message-ID: On Thu, Jan 21, 2016 at 11:54 AM, Matthias Klose wrote: > On 21.01.2016 17:13, Nathaniel Smith wrote: >> >> On Jan 21, 2016 2:07 AM, "M.-A. Lemburg" wrote: >>> >>> >>> On 21.01.2016 10:31, Nick Coghlan wrote: >>>> >>>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>>> >>>>> By using the version based approach, we'd not run into this >>>>> problem and gain a lot more. >>>> >>>> >>>> I think it's better to start with a small core that we *know* works, >>>> then expand later, rather than trying to make the first iteration too >>>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>>> end), so "manylinux2" may simply have *more* libraries defined, rather >>>> than newer ones. >>> >>> >>> My argument is that the file based approach taken by the PEP >>> is too limiting to actually make things work for a large >>> set of Python packages. >>> >>> It will basically only work for packages that do not interface >>> to other external libraries (except for the few cases listed in >>> the PEP, e.g. X11, GL, which aren't always installed or >>> available either). >> >> >> The list of allowed libraries is exactly the same list of libraries as are >> required by the Anaconda python distribution, so we *know* that it works >> for about a hundred different python packages, including lots of tricky >> ones (the whole scientific stack), and had been tested by tens or hundreds >> of thousands of users. > > > so this is x86_64-linux-gnu. Any other architectures? That's by far the dominant architecture for Linux workstations and servers, so that's what we've focused on, yeah. I assume that mainstream glibc-using distros on x86-32 and ARM are similar; unless someone wants to go do the research somehow then I think the simplest way forward is to proceed on the assumption that the same spec will work, and then fix it up if/when it turns out to break. > Any reason to choose > gcc 4.8.2 which is known for it's defects? It's the most recent version of gcc that's able to target CentOS 5 (thanks to RH's backporting efforts in their "devtoolset" releases), and CentOS 5 is the target baseline that's currently used by approximately everyone who distributes universal linux binaries (google e.g. "holy build box"). > This whole thing looks like an > Anaconda marketing PEP ... Anaconda's main selling point is that they provide binaries that "just work", and pip doesn't. Not sure how improving pip to be a stronger competitor to Anaconda is Anaconda marketing. -n -- Nathaniel J. Smith -- https://vorpus.org From doko at ubuntu.com Thu Jan 21 15:18:22 2016 From: doko at ubuntu.com (Matthias Klose) Date: Thu, 21 Jan 2016 21:18:22 +0100 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: <56A13D0E.5000605@ubuntu.com> On 21.01.2016 04:55, Nathaniel Smith wrote: the choice of compiler is questionable. Just a pick into a release series. Not even the last released version on this release series. Is this a good choice? Maybe for x86_64 and i386, but not for anything else. > The permitted external shared libraries are: :: > > libpanelw.so.5 > libncursesw.so.5 this doesn't include libtinfo, dependency of libncursesw. > libgcc_s.so.1 > libstdc++.so.6 if you insist on a version built from before GCC 5, you are in trouble with the libstdc++ ABI. So maybe link that one statically. > libgobject-2.0.so.0 > libgthread-2.0.so.0 > libglib-2.0.so.0 while glib2.0 is somehow frozen, what will you do if these change the soname? libgfortran is missing from this list while later down you mention gfortran. This will include libquadmath too. Any reason to not list libz? > Compilation and Tooling > ======================= so how are people supposed to build these wheels? will you provide a development distribution, or do you "trust" people building such wheels? > Platform Detection for Installers > ================================= > > Because the ``manylinux1`` profile is already known to work for the many > thousands of users of popular commercial Python distributions, we suggest that > installation tools like ``pip`` should error on the side of assuming that a > system *is* compatible, unless there is specific reason to think otherwise. > > We know of three main sources of potential incompatibility that are likely to > arise in practice: > > * A linux distribution that is too old (e.g. RHEL 4) > * A linux distribution that does not use glibc (e.g. Alpine Linux, which is > based on musl libc, or Android) > * Eventually, in the future, there may exist distributions that break > compatibility with this profile add: "A Linux distribution that is built with clang", e.g. Mageia (libc++ instead of libstdc++). > Security Implications > ===================== > > One of the advantages of dependencies on centralized libraries in Linux is > that bugfixes and security updates can be deployed system-wide, and > applications which depend on on these libraries will automatically feel the > effects of these patches when the underlying libraries are updated. This can > be particularly important for security updates in packages communication > across the network or cryptography. > > ``manylinux1`` wheels distributed through PyPI that bundle security-critical > libraries like OpenSSL will thus assume responsibility for prompt updates in > response disclosed vulnerabilities and patches. This closely parallels the > security implications of the distribution of binary wheels on Windows that, > because the platform lacks a system package manager, generally bundle their > dependencies. In particular, because its lacks a stable ABI, OpenSSL cannot be > included in the ``manylinux1`` profile. so you rely on the python build to provide this and access OpenSSL through the standard library? From my point of view this draft is too much influenced by Anaconda and their needs. It doesn't talk at all about interaction with other system libraries, or interaction with extensions provided by distributions. Matthias From donald at stufft.io Thu Jan 21 15:21:55 2016 From: donald at stufft.io (Donald Stufft) Date: Thu, 21 Jan 2016 15:21:55 -0500 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> <56A13789.9050000@ubuntu.com> Message-ID: <8BCA8DD9-B71E-41A5-AB4E-2B7A19209557@stufft.io> > On Jan 21, 2016, at 3:14 PM, Nathaniel Smith wrote: > > On Thu, Jan 21, 2016 at 11:54 AM, Matthias Klose wrote: >> On 21.01.2016 17:13, Nathaniel Smith wrote: >>> >>> On Jan 21, 2016 2:07 AM, "M.-A. Lemburg" wrote: >>>> >>>> >>>> On 21.01.2016 10:31, Nick Coghlan wrote: >>>>> >>>>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>>>> >>>>>> By using the version based approach, we'd not run into this >>>>>> problem and gain a lot more. >>>>> >>>>> >>>>> I think it's better to start with a small core that we *know* works, >>>>> then expand later, rather than trying to make the first iteration too >>>>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>>>> end), so "manylinux2" may simply have *more* libraries defined, rather >>>>> than newer ones. >>>> >>>> >>>> My argument is that the file based approach taken by the PEP >>>> is too limiting to actually make things work for a large >>>> set of Python packages. >>>> >>>> It will basically only work for packages that do not interface >>>> to other external libraries (except for the few cases listed in >>>> the PEP, e.g. X11, GL, which aren't always installed or >>>> available either). >>> >>> >>> The list of allowed libraries is exactly the same list of libraries as are >>> required by the Anaconda python distribution, so we *know* that it works >>> for about a hundred different python packages, including lots of tricky >>> ones (the whole scientific stack), and had been tested by tens or hundreds >>> of thousands of users. >> >> >> so this is x86_64-linux-gnu. Any other architectures? > > That's by far the dominant architecture for Linux workstations and > servers, so that's what we've focused on, yeah. I assume that > mainstream glibc-using distros on x86-32 and ARM are similar; unless > someone wants to go do the research somehow then I think the simplest > way forward is to proceed on the assumption that the same spec will > work, and then fix it up if/when it turns out to break. Numbers! Here?s the # of downloads from PyPI in the last week or so that we can identify as a linux machine using pip and what the value of their platform.machine() is: https://caremad.io/s/SIxbkCB82C/ ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthew.brett at gmail.com Thu Jan 21 14:05:27 2016 From: matthew.brett at gmail.com (Matthew Brett) Date: Thu, 21 Jan 2016 11:05:27 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A0AD76.7090107@egenix.com> References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: Hi, On Thu, Jan 21, 2016 at 2:05 AM, M.-A. Lemburg wrote: > On 21.01.2016 10:31, Nick Coghlan wrote: >> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>> By using the version based approach, we'd not run into this >>> problem and gain a lot more. >> >> I think it's better to start with a small core that we *know* works, >> then expand later, rather than trying to make the first iteration too >> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >> end), so "manylinux2" may simply have *more* libraries defined, rather >> than newer ones. > > My argument is that the file based approach taken by the PEP > is too limiting to actually make things work for a large > set of Python packages. > > It will basically only work for packages that do not interface > to other external libraries (except for the few cases listed in > the PEP, e.g. X11, GL, which aren't always installed or > available either). > > IMO, testing the versions of a set of libraries is a safer > approach. It's perfectly fine to have a few dependencies > not work in a module because an optional system package is not > installed, e.g. say a package comes with UIs written in > Qt and one in GTK. Please forgive my slowness, but I don't understand exactly what you mean. Can you give a specific example? Say my package depends on libpng. Call the machine I'm installing on the client machine. Are you saying that, when I build a wheel, I should specify to the wheel what versions of libpng I can tolerate on the the client machine, and if if the client does have a compatible version, then pip should raise an error, perhaps with a useful message about how to get libpng? If you do mean that, how do you want the PEP changed? Best, Matthew From matthew.brett at gmail.com Thu Jan 21 14:48:16 2016 From: matthew.brett at gmail.com (Matthew Brett) Date: Thu, 21 Jan 2016 11:48:16 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: Hi, On Thu, Jan 21, 2016 at 11:42 AM, Chris Barker wrote: > nice, idea, but.... > > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libGL.so.1 > > These are all X11, yes? pretty much any workstation will have these, but in > general, servers won't. > > Someone on this thread suggested that that's OK -- don't expect a GUI > package to work on a linux box without a GUI. But some of these libs might > get used for stuff like back-end rendering, etc, so would be expected to > work on a headless box. I think Anaconda an Canopy have gotten away with > this because both of their user bases are primarily desktop data analysis > type of stuff -- not web services, web servers, etc. Someone administering a headless server will surely be able to cope with that problem, and the trade-off of convenience for the large majority of users seems like a good one to me. > Then there is the "additional libs" problem. Again, Anaconda and Canopy can > do this because they are providing those libs - lots of stuff you'd > generally expect to be there in a typical *nix system stuff like libpng, > libjpeg, who knows what they heck else. > > So without a plan to provide all that stuff -- I"m not sure of the utility > of this -- how are you gong to get PIL/Pillow to work? statically link up > the ying-yang? Not sure the linux world will take to that. That's exactly how the current OSX Pillow wheels work, and they've been working fine for a while now. There just aren't that many libraries to worry about for the vast majority of packages. Cheers, Matthew From matthew.brett at gmail.com Thu Jan 21 14:22:11 2016 From: matthew.brett at gmail.com (Matthew Brett) Date: Thu, 21 Jan 2016 11:22:11 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> <56A0AD76.7090107@egenix.com> Message-ID: On Thu, Jan 21, 2016 at 11:05 AM, Matthew Brett wrote: > Hi, > > On Thu, Jan 21, 2016 at 2:05 AM, M.-A. Lemburg wrote: >> On 21.01.2016 10:31, Nick Coghlan wrote: >>> On 21 January 2016 at 19:03, M.-A. Lemburg wrote: >>>> By using the version based approach, we'd not run into this >>>> problem and gain a lot more. >>> >>> I think it's better to start with a small core that we *know* works, >>> then expand later, rather than trying to make the first iteration too >>> wide. The "manylinux1" tag itself is versioned (hence the "1" at the >>> end), so "manylinux2" may simply have *more* libraries defined, rather >>> than newer ones. >> >> My argument is that the file based approach taken by the PEP >> is too limiting to actually make things work for a large >> set of Python packages. >> >> It will basically only work for packages that do not interface >> to other external libraries (except for the few cases listed in >> the PEP, e.g. X11, GL, which aren't always installed or >> available either). >> >> IMO, testing the versions of a set of libraries is a safer >> approach. It's perfectly fine to have a few dependencies >> not work in a module because an optional system package is not >> installed, e.g. say a package comes with UIs written in >> Qt and one in GTK. > > Please forgive my slowness, but I don't understand exactly what you > mean. Can you give a specific example? > > Say my package depends on libpng. > > Call the machine I'm installing on the client machine. > > Are you saying that, when I build a wheel, I should specify to the > wheel what versions of libpng I can tolerate on the the client > machine, and if if the client does have a compatible version, then pip > should raise an error, perhaps with a useful message about how to get > libpng? Sorry, slowness any typos - corrected: Are you saying that, when I build a wheel, I should specify to the wheel what versions of libpng I can tolerate on the the client machine, and if the client does _not_ have a compatible version, then pip should raise an error, perhaps with a useful message about how to get libpng? Best again, Matthew From matthew.brett at gmail.com Thu Jan 21 15:03:51 2016 From: matthew.brett at gmail.com (Matthew Brett) Date: Thu, 21 Jan 2016 12:03:51 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: Hi, On Thu, Jan 21, 2016 at 11:57 AM, Chris Barker wrote: > On Thu, Jan 21, 2016 at 11:48 AM, Matthew Brett > wrote: >> >> > So without a plan to provide all that stuff -- I"m not sure of the >> > utility >> > of this -- how are you gong to get PIL/Pillow to work? statically link >> > up >> > the ying-yang? Not sure the linux world will take to that. >> >> That's exactly how the current OSX Pillow wheels work, and they've >> been working fine for a while now. There just aren't that many >> libraries to worry about for the vast majority of packages. > > > well, that was really intended to be only an example. And OS-X provides more > basic libs than manylinux anyway (zlib, freetype, either png or jpeg, can't > remember which). > > The library list got long enough to drive me crazy -- I guess you've got > more patience than I have. Tried to build any OSGEO stuff lately? I'm sure there are packages that would be hard to build, but for the vast majority of packages, getting a build recipe is a one-time only job which might (in bad cases) take a day or so, and then can be maintained from time to time by the package maintainer. The Pillow wheel builder is a good example - I built the prototype, but the Pillow guys own and maintain it now. I don't think it's sensible to veto all linux wheels because there are some packages that will be hard to build. Cheers, Matthew From rmcgibbo at gmail.com Thu Jan 21 16:33:02 2016 From: rmcgibbo at gmail.com (Robert T. McGibbon) Date: Thu, 21 Jan 2016 13:33:02 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References:

Message-ID: On Thu, Jan 21, 2016 at 12:08 PM, Donald Stufft wrote: > > I guess my underlying question is, if we?re considering static linking (or > shipping the .so dll style) to be good enough for everything not on this > list, why are these specific packages on the list? Why are we not selecting > the absolute bare minimum packages that you *cannot* reasonably static link > or ship the .so? > This is a fair question. The principle, practical reason is that we followed the lead of what other projects have done here for distributing cross-distro binaries, especially Anaconda and Canopy. I also just looked at the external libraries required by the portable firefox Linux binaries ( https://www.mozilla.org/en-US/firefox/43.0.4/system-requirements/). The additional shared libraries that the firefox pre-compiled binaries require that are not included in our list are libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libXt.so.6 libasound.so.2 libatk-1.0.so.0 libcairo.so.2 libdbus-1.so.3 libdbus-glib-1.so.2 libfontconfig.so.1 libfreetype.so.6 libgdk-x11-2.0.so.0 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libgmodule-2.0.so.0 libgtk-x11-2.0.so.0 libpango-1.0.so.0 libpangocairo-1.0.so.0 libpangoft2-1.0.so.0 I would be open to including some of these libraries in the manylinux1 policy, or in a subsequent update (manylinux2, etc). -Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From njs at pobox.com Thu Jan 21 16:33:59 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 13:33:59 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A13D0E.5000605@ubuntu.com> References: <56A13D0E.5000605@ubuntu.com> Message-ID: On Thu, Jan 21, 2016 at 12:18 PM, Matthias Klose wrote: > On 21.01.2016 04:55, Nathaniel Smith wrote: > > the choice of compiler is questionable. Just a pick into a release series. > Not even the last released version on this release series. Is this a good > choice? Maybe for x86_64 and i386, but not for anything else. There's no mandatory compiler. The rule is basically: "if your wheel works when given access to CentOS 5's versions of the following packages: ..., then your wheel is manylinux1 compatible". Any method for achieving that is fair game :-). The RH devtoolset fork of gcc 4.8 happens to be the only C++11-supporting compiler that we know of that can produce binaries that accomplish that, but if you have another compiler that works better for you then go for it. >> The permitted external shared libraries are: :: >> >> libpanelw.so.5 >> libncursesw.so.5 > > > this doesn't include libtinfo, dependency of libncursesw. > >> libgcc_s.so.1 >> libstdc++.so.6 > > > if you insist on a version built from before GCC 5, you are in trouble with > the libstdc++ ABI. So maybe link that one statically. The libstdc++ ABI is forward compatible across the GCC 4/GCC 5 transition; the exception is if you want to pass C++ stdlib objects directly between code compiled with GCC 4 and code compiled with GCC 5. This is extremely rare, since Python packages almost never provide a C++ ABI to other Python packages. (I don't know of any examples of this.) If it does come up then those package authors will have to figure out how they want to handle it, yes, possibly via picking a more modern libstdc++ and agreeing to all use it together. >> libgobject-2.0.so.0 >> libgthread-2.0.so.0 >> libglib-2.0.so.0 > > > while glib2.0 is somehow frozen, what will you do if these change the > soname? > > libgfortran is missing from this list while later down you mention gfortran. > This will include libquadmath too. libgfortran is missing intentionally, because it turns out from experience that lots of end-user systems don't have it installed out of the box. You'll notice that the numpy wheels I posted earlier include libgfortran inside them. (libquadmath is optional though -- you can build gfortran with --disable-libquadmath-support and get a toolchain that generates binaries that don't depend on libquadmath.) > Any reason to not list libz? > >> Compilation and Tooling >> ======================= > > > so how are people supposed to build these wheels? will you provide a > development distribution, or do you "trust" people building such wheels? We currently provide a docker image (docker pull quay.io/manylinux/manylinux) and a tool that checks wheels for compliance and can in many cases automatically vendor any needed shared libraries (pip3 install auditwheel). In the end of course we can't force people to use these tools -- there's nothing that will actually stop someone from renaming a Windows wheel to say "manylinux1" in the platform tag and uploading it somewhere :-) -- but our experience with OS X wheels is that if you provide good docs and tools then people will generally get it right. Package authors generally don't set out to build broken packages that frustrate users ;-) >> Platform Detection for Installers >> ================================= >> >> Because the ``manylinux1`` profile is already known to work for the many >> thousands of users of popular commercial Python distributions, we suggest >> that >> installation tools like ``pip`` should error on the side of assuming that >> a >> system *is* compatible, unless there is specific reason to think >> otherwise. >> >> We know of three main sources of potential incompatibility that are likely >> to >> arise in practice: >> >> * A linux distribution that is too old (e.g. RHEL 4) >> * A linux distribution that does not use glibc (e.g. Alpine Linux, which >> is >> based on musl libc, or Android) >> * Eventually, in the future, there may exist distributions that break >> compatibility with this profile > > > add: "A Linux distribution that is built with clang", e.g. Mageia (libc++ > instead of libstdc++). Interesting point. It looks like from some quick googling that even Mageia does provide a libstdc++6 package, though, presumably because of these kinds of compatibility issues? >> Security Implications >> ===================== >> >> One of the advantages of dependencies on centralized libraries in Linux is >> that bugfixes and security updates can be deployed system-wide, and >> applications which depend on on these libraries will automatically feel >> the >> effects of these patches when the underlying libraries are updated. This >> can >> be particularly important for security updates in packages communication >> across the network or cryptography. >> >> ``manylinux1`` wheels distributed through PyPI that bundle >> security-critical >> libraries like OpenSSL will thus assume responsibility for prompt updates >> in >> response disclosed vulnerabilities and patches. This closely parallels the >> security implications of the distribution of binary wheels on Windows >> that, >> because the platform lacks a system package manager, generally bundle >> their >> dependencies. In particular, because its lacks a stable ABI, OpenSSL >> cannot be >> included in the ``manylinux1`` profile. > > > so you rely on the python build to provide this and access OpenSSL through > the standard library? That is one strategy that's available to packages who need access to OpenSSL, yes. > From my point of view this draft is too much influenced by Anaconda and > their needs. It doesn't talk at all about interaction with other system > libraries, or interaction with extensions provided by distributions. It's true that it doesn't do those things, just like there's no PEP talking about how pip on Windows should interact with nuget or how pip on OS X should interact with homebrew. This is a first step, the perfect is the enemy of the good, etc. -n -- Nathaniel J. Smith -- https://vorpus.org From njs at pobox.com Thu Jan 21 16:42:07 2016 From: njs at pobox.com (Nathaniel Smith) Date: Thu, 21 Jan 2016 13:42:07 -0800 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: <56A09EDF.3000500@egenix.com> Message-ID: On Thu, Jan 21, 2016 at 1:31 AM, Nick Coghlan wrote: > I think it's better to start with a small core that we *know* works, > then expand later, rather than trying to make the first iteration too > wide. The "manylinux1" tag itself is versioned (hence the "1" at the > end), so "manylinux2" may simply have *more* libraries defined, rather > than newer ones. We wouldn't even necessarily need to bump the version number, since the main thing the "manylinux1" tag does is serve as a notice to pip about whether a wheel is likely to work on a given system. If after experience we realize that in fact there are more libraries that would work on those same systems, then we can release a "manylinux 1.1" document that updates the guidance to package authors but continues to use the "manylinux1" tag and leaves the same code in pip. (And ditto if we realize that there are libraries on the list that shouldn't be.) -n -- Nathaniel J. Smith -- https://vorpus.org From solipsis at pitrou.net Thu Jan 21 16:58:29 2016 From: solipsis at pitrou.net (Antoine Pitrou) Date: Thu, 21 Jan 2016 22:58:29 +0100 Subject: [Distutils] draft PEP: manylinux1 References: Message-ID: <20160121225829.7504847c@fsol> On Thu, 21 Jan 2016 11:42:57 -0800 Chris Barker wrote: > nice, idea, but.... > > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libGL.so.1 > > These are all X11, yes? pretty much any workstation will have these, but in > general, servers won't. For the record, not having or not running a X11 server doesn't mean you don't have a subset of the corresponding *libraries*. For example, I have a Debian jessie server and, while there's no X11-related executable on the machine, I still have the following libraries installed: $ dpkg -l | grep X [...] ii libpangox-1.0-0:amd64 0.0.2-5 amd64 pango library X backend ii libpixman-1-0:amd64 0.32.6-3 amd64 pixel-manipulation library for X and cairo ii libpod-latex-perl 0.61-1 all module to convert Pod data to formatted LaTeX ii libx11-6:amd64 2:1.6.2-3 amd64 X11 client-side library ii libx11-data 2:1.6.2-3 all X11 client-side library ii libxau6:amd64 1:1.0.8-1 amd64 X11 authorisation library ii libxcb-render0:amd64 1.10-3+b1 amd64 X C Binding, render extension ii libxcb-shm0:amd64 1.10-3+b1 amd64 X C Binding, shm extension ii libxcb1:amd64 1.10-3+b1 amd64 X C Binding ii libxdmcp6:amd64 1:1.1.1-1+b1 amd64 X11 Display Manager Control Protocol library ii libxext6:amd64 2:1.3.3-1 amd64 X11 miscellaneous extension library ii libxft2:amd64 2.3.2-1 amd64 FreeType-based font drawing library for X ii libxml2:amd64 2.9.1+dfsg1-5+deb8u1 amd64 GNOME XML library ii libxpm4:amd64 1:3.5.11-1+b1 amd64 X11 pixmap library ii libxrender1:amd64 1:0.9.8-1+b1 amd64 X Rendering Extension client library ii xkb-data 2.12-1 all X Keyboard Extension (XKB) configuration data [...] Regards Antoine. From cournape at gmail.com Thu Jan 21 17:04:41 2016 From: cournape at gmail.com (David Cournapeau) Date: Thu, 21 Jan 2016 22:04:41 +0000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On Thu, Jan 21, 2016 at 7:42 PM, Chris Barker wrote: > nice, idea, but.... > > libX11.so.6 > libXext.so.6 > libXrender.so.1 > libGL.so.1 > > These are all X11, yes? pretty much any workstation will have these, but > in general, servers won't. > Those would be required by GUI packages. People who know how to install headless systems would know how to handle errors because of missing sonames. I can talk from experience that this problem does not happen often. Note that this set of libraries was built from both what anaconda and canopy do > > Someone on this thread suggested that that's OK -- don't expect a GUI > package to work on a linux box without a GUI. But some of these libs might > get used for stuff like back-end rendering, etc, so would be expected to > work on a headless box. I think Anaconda an Canopy have gotten away with > this because both of their user bases are primarily desktop data analysis > type of stuff -- not web services, web servers, etc. > This is not true for us at Enthought, and I would be surprised if it were for anaconda. > So without a plan to provide all that stuff -- I"m not sure of the utility > of this -- how are you gong to get PIL/Pillow to work? statically link up > the ying-yang? Not sure the linux world will take to that. > We can explain how things work in details for some packages, but the main rationale for the PEP list is that this is a list that works in practice. It has worked well for us at Enthought for many years, and it has for (Ana)conda as well. Between both distributions, we are talking about millions of installs over the year, on many different systems. David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cournape at gmail.com Thu Jan 21 17:08:13 2016 From: cournape at gmail.com (David Cournapeau) Date: Thu, 21 Jan 2016 22:08:13 +0000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: References: Message-ID: On Thu, Jan 21, 2016 at 10:04 PM, David Cournapeau wrote: > > > On Thu, Jan 21, 2016 at 7:42 PM, Chris Barker > wrote: > >> nice, idea, but.... >> >> libX11.so.6 >> libXext.so.6 >> libXrender.so.1 >> libGL.so.1 >> >> These are all X11, yes? pretty much any workstation will have these, but >> in general, servers won't. >> > > Those would be required by GUI packages. People who know how to install > headless systems would know how to handle errors because of missing sonames. > I would also mention that at Enthought, we have a fairly comprehensive testing policy for our packages (e.g. running the test suite of a package at every build as much as possible). We do the testing under headless environments on every platform as much as possible, and it works for maybe 95 % of the packages (including things like matplotlib, etc...). E.g. on Linux, most packages work well with a framebuffer if you only care about offline rendering or testing. David I can talk from experience that this problem does not happen often. > > Note that this set of libraries was built from both what anaconda and > canopy do > >> >> Someone on this thread suggested that that's OK -- don't expect a GUI >> package to work on a linux box without a GUI. But some of these libs might >> get used for stuff like back-end rendering, etc, so would be expected to >> work on a headless box. I think Anaconda an Canopy have gotten away with >> this because both of their user bases are primarily desktop data analysis >> type of stuff -- not web services, web servers, etc. >> > > This is not true for us at Enthought, and I would be surprised if it were > for anaconda. > > >> So without a plan to provide all that stuff -- I"m not sure of the >> utility of this -- how are you gong to get PIL/Pillow to work? statically >> link up the ying-yang? Not sure the linux world will take to that. >> > > We can explain how things work in details for some packages, but the main > rationale for the PEP list is that this is a list that works in practice. > It has worked well for us at Enthought for many years, and it has for > (Ana)conda as well. Between both distributions, we are talking about > millions of installs over the year, on many different systems. > > David > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cournape at gmail.com Thu Jan 21 17:11:32 2016 From: cournape at gmail.com (David Cournapeau) Date: Thu, 21 Jan 2016 22:11:32 +0000 Subject: [Distutils] draft PEP: manylinux1 In-Reply-To: <56A13D0E.5000605@ubuntu.com> References: