On Sun, Sep 26, 2021 at 12:53 PM Volker Braun <vbraun.n...@gmail.com> wrote:
> On OSX I don't feel comfortable recommending anyone to run a script as > root so homebrew can barf random files into the filesystem. For security > and maintainability we really need to be able to install Sage without > having unsigned and effectively unversioned dependencies. > I don't really see how homebrew is different from a rolling Linux distro. The core binaries are audited, etc etc. Surely if you install arbitrary binary stuff (their "bottles") from a non-standard location, then you're at risk (most if not all Linux systems also have similar high-risk mechanisms), but that's not what you need to build Sage with homebrew packages. Certainly not if you use gfortran and other core packages such as gmp from Homebrew, then you're as secure as with a Linux distro, IMHO. > My suggestion would be to replace the toolchain packages with a local > conda install, i.e. keep the part where our configure checks if a suitable > gcc/gfortran/... is installed. If not then pull down miniconda and install > a working toolchain into $SAGE_LOCAL/conda, instead of trying to compile > it. That way we can easily offload the toolchain maintenance effort, and > keep all the benefits. > > I know nothing about security mitigations in conda-forge, are they significantly stricter than ones in Homebrew? Anyway, I don't see much benefit from automating this pulling, I think it's better to tell the user upfront what they have to have installed (including an option of using conda-forge, or mamba-forge), as an average Sage user should be fine with Sage from conda-forge, it's more flexible than binary Sage installs. Dima > > > On Friday, September 24, 2021 at 12:17:29 AM UTC+2 dim...@gmail.com wrote: > >> https://trac.sagemath.org/ticket/32532 >> <https://trac.sagemath.org/ticket/32532#comment:21> proposes to remove >> these packages as not needed, and a huge time sink for everyone involved. >> >> Rationale: nowadays every platform that Sage supports has said tools (or >> their equivalents - e.g. clang/clang++ in case of macOS and FreeBSD) >> available, if not outright as a system package, but surely with a very >> minimal effort. >> >> There is no need to carry this baggage forward. >> Moreover, it seems that Sage is the only Python library/platform around >> which (potentially) vendors gcc/g++/gfortran. >> >> >> -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sage-devel/7ad09b74-dc26-473c-b44f-342ab84e01ddn%40googlegroups.com > <https://groups.google.com/d/msgid/sage-devel/7ad09b74-dc26-473c-b44f-342ab84e01ddn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAAWYfq2awcHh%2BkBZq%2BcSAh6beTBQtmiMxuaWw91EVLc8amHJ4w%40mail.gmail.com.
