Re: [PATCH] selinux-testsuite: fix old python shebang in tests/overlay/access

[Paul Moore <paul@paul-moore.com>]

On Wed, Jun 19, 2019 at 12:04 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 6/19/19 10:40 AM, Paul Moore wrote:
> > On Wed, Jun 19, 2019 at 10:26 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >>
> >> /usr/bin/python is no longer installed by default, so this test
> >> script fails on default installs.
> >> Best practice guidance appears to be to switch to using
> >> /usr/bin/python3 instead, per
> >> https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
> >>
> >> Fixes: #46
> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >> ---
> >>   tests/overlay/access | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > I think it would be better to reference the Python upstream guidance
> > regarding "python3" instead of the Fedora packaging guidelines.
> > Keeping things distro agnostic is a good goal whenever possible.
> >
> > * https://www.python.org/dev/peps/pep-0394
>
> When I looked for guidance in response to the github issue for
> selinux-testsuite [1], there seemed to be some ambiguity left by pep-0394:
>
> 1) It says "One exception to this is scripts that are deliberately
> written to be source compatible with both Python 2.x and 3.x. Such
> scripts may continue to use python on their shebang line.".  This leaves
> open the possibility of staying with "/usr/bin/python" as far as the pep
> is concerned since the script itself is not version-specific in any way,
> but doing so is not permitted by the Fedora guidelines and breaks on
> default installs of Fedora.

[SIDE NOTE: for some reason my mail is acting a bit odd - this got
buried in a folder and didn't bubble up like normal - my apologies on
the delay, I didn't see it until I was checking for patches today.]

Yes, I saw that too but considering that we are about six months away
from python2 going EOL I think it is reasonable to ignore python2 for
upstream work at this point.

> 2) It doesn't specify whether or not one should use "/usr/bin/env
> python3" or just "/usr/bin/python3".  The github issue reported had
> originally suggested the former, but this is also prohibited by the
> Fedora guidelines.

My initial reaction was that we should "/usr/bin/env" until I saw that
bit in the Fedora guidelines, which I honestly don't understand.  Does
anyone with a better understanding of cross-distro userspace know why
"/usr/bin/env" is bad?

> That's why I went with the Fedora guidelines.  Happy to use whatever but
> at least that particular PEP doesn't clearly motivate the use of
> "/usr/bin/python3" here.
>
> [1] https://github.com/SELinuxProject/selinux-testsuite/issues/46

Fair enough, I'll go ahead and merge it since it does fix a real
problem.  I did make once change to convert the "Fixes: #46" to use
the full URL, e.g. "Fixes: https://github.com..."; I think this helps
provide some necessary context (what if 10yrs from now we aren't on
github, what does "#46" reference?).

This is starting to stretch the topic a bit, but as far as "use
whatever" is concerned, I'd really like to see us keep moving towards
a more distro agnostic approach when it comes to upstream
development/testing/etc.  While SELinux has always had a "special"
relationship with Fedora/RH, we've seen SELinux grow quite a bit over
the years and I think it would be good to start trying to bring other
distros up to the same level as Fedora when it comes to SELinux
support.  I think one easy first step is to start looking beyond the
Fedora guidelines and see what other distros do/recommend.

> >> diff --git a/tests/overlay/access b/tests/overlay/access
> >> index 5a47eb145904..e50d5b402ebd 100755
> >> --- a/tests/overlay/access
> >> +++ b/tests/overlay/access
> >> @@ -1,4 +1,4 @@
> >> -#!/bin/python
> >> +#!/usr/bin/python3
> >>   import os, sys
> >>   try:
> >>           acc=eval("os.%s" % sys.argv[2])
> >> --
> >> 2.20.1
> >
>


-- 
paul moore
www.paul-moore.com