[tor-bugs] #10009 [Tor bundles/installation]: rethink the dependencies handling of PTBB

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Oct 27 06:42:19 UTC 2013 

#10009: rethink the dependencies handling of PTBB
------------------------------------------+-----------------
     Reporter:  infinity0                 |      Owner:  dcf
         Type:  enhancement               |     Status:  new
     Priority:  minor                     |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |
------------------------------------------+-----------------

Comment (by dcf):

 Replying to [ticket:10009 infinity0]:
 > The heavy amount of custom shell script just to get dependencies scares
 me and is a maintenance liability. py2exe at least automatically includes
 transitive deps in the build. I had a look at
 [http://docs.python.org/2/library/modulefinder.html ​modulefinder] but it
 is behaving in a weird way - for example, running my attached script on
 flashproxy-client for some reason gives setuptools as a dependency. There
 are also many false negatives due to conditional-imports, a feature unique
 to python.

 I think the main reason we copy packages individually and manually is that
 we need to be careful to comply with the licenses of all the software we
 ship. Usually all it takes is including a copy of their license and
 copyright notice. We also, as you say, want to be careful about not
 including packages that are not really needed, just for size reasons.

 One way would perhaps be to use modulefinder along with hints, like py2exe
 uses. Often you have to tell py2exe about specific packages to include or
 exclude. We could add special guard code to check if anything got copied
 in that we don't expect (that we might need a license for).

 > Also, do we have some usage statics for the GNU/Linux bundles? I should
 think most people use their distro's package manager for this... For Mac
 OS X we have to do a custom package in any case. :(

 Do you mean, are people using distro packages to run the Tor Browser
 Bundle, rather than downloading the binary tarball? I think that practice
 is not recommended, because Tor Browser isn't packaged, and it's dangerous
 to try to hook up a different browser to Tor. There is a ticket or other
 discussion somewhere about packaging Tor Browser for Debian or Ubuntu.
 (Micah Lee made [https://github.com/micahflee/torbrowser-launcher a
 package] that repacks the torproject.org bundles, but that's a bit
 different.)

 If you mean, why can't we just rely on already installed packages for some
 of the dependencies of the bundle, but it also means people would have to
 `apt-get install python-twisted` and a bunch of other things before using
 the bundle, and would prevent you from, for example, running a copy of the
 bundle from a USB drive on someone else's computer.

 I don't know of any usage counts and I suspect none exist (by design). I
 use the GNU/Linux bundles...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10009#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list