Andres,
may be we will add to CC Luciano (luci...@debian.org) who is maintainer
of w3af package in Debian?
>>> * The pdfminer issue occurred because we had this requirement:
>>> pdfminer (no version requirement)
>>> * If we specify something like: pdfminer>=3, then we're fine until
>>> they release version 4 which breaks their API and w3af breaks
>>
>> Breaking of API is unusual and infrequent case in normal software.
>
> Agreed, but we already found one issue with this and don't want to
> find more in the future.
How old is w3af project? How many times has this (breaking of 3rd party
API) happened? If it's the first one then may be it's too excessive
workaround? Of course it is possible that we will have some similar
issues in the future. But as for me it is not reason to specify exact
versions of dependencies. It is reason to keep really small number of
core dependencies. And these dependencies should be well-maintained
packages.
> I thought that specifying the exact version
> was the best solution, but at least for what you're saying, it is not.
> Can you propose a solution that will be bullet-proof?
My view on w3af dependency management is:
1. Bring back dependency check with >= condition
2. We should separate core and plugins requirements
3. We should make possible to run w3af without installation of all
plugins dependencies. It can be with special argument to w3af_console
called "-l or --lazy". This parameter will force w3af not to check
plugins dependencies (or even switch off dependency checker all!). If
user specifies plugin with not installed external dependency w3af will
show message how to install it using e.g. pip. Without such parameter
w3af will run as currently. **So default behavior will not be changed.**
4. Such improvement will make possible to make easier e.g. Debian/Ubuntu
package of w3af. Core dependencies will be in "Depends:" section and
plugins dependencies will be "Recommends:" section. If there is no some
plugin dependency in repository - no problem because user can install it
via pip.
If you agree with this I will code it.
>
>> In another case it will break current package system ideology in Linux
>> distros.
>
> Not sure why you say that? Could you please explain?
>
>> Just try to find e.g. in Ubuntu repository package with such strict
>> dependencies. It will be difficult task!
>
> Which command do I run to get such a list?
I simply have tried to look on some well-known Python based packages
like Sonata, Inkscape, Calibre, Exaile. Same is true for usual software:
$ apt-cache show firefox
> Also, there should be a way in ubuntu packaging to solve this issue... I
> believe its not a big
> deal and we're not unique. I bet there are many packages which are in
> this dilemma:
>
> * Package A depends on library X version 1
> * Package B depends on library X version 2
> * A won't work with X.2
> * B won't work with X.1
> We certainly need a packaging expert for solving this part of the
> discussion! I don't know enough about it, or care enough to learn.
>
> If in the future someone wants to package w3af, I'll try to remember
> this discussion and let him know.
>
>>
>>> * If we specify the version: pdfminer==3, then we're fine for ever.
>>
>> Yes, we're fine, but **who** and **how** will be able to install and use
>> w3af? Virtualenv is not solution for the end user. Only for development.
>
> Who? Every user
> How?
>
> git clone ...
> cd w3af
> ./w3af_console
> <follow steps in output>
>
> The only problem I see here is that when following the steps in the
> output this might happen:
> * User installed in the past package A version 2 using apt-get install
> * User installs w3af using the instructions above
> * w3af requires A version 3
> * By following the instructions, A.2 is overwritten by A.3
>
> Is that what is worrying you?
I really worry about how to run and package w3af without
painful resolving dependencies in Debian/Ubuntu system.
It should be as easy as installing any other well know software.
--
Taras
https://www.oxdef.info
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
