Re: [PATCH 1/4] libselinux: compile Python bytecode when installing Python files

From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 1/4] libselinux: compile Python bytecode when installing Python files
Date: Sat, 9 Nov 2019 16:55:07 +0100	[thread overview]
Message-ID: <CAJfZ7=kihH_zrWHdYcR8qf9w9C_VSjcs4ShxUE1XeQv_VRG0eg@mail.gmail.com> (raw)
In-Reply-To: <CAJfZ7=mXrusf-yANsoEhKGrySUJJHG3AkL3ND1uGx13yWwvMGg@mail.gmail.com>

On Sun, Nov 3, 2019 at 9:57 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Sat, Nov 2, 2019 at 9:18 PM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello Nicolas,
> >
> > On Sat,  2 Nov 2019 18:28:09 +0100
> > Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > > When selinux module is imported from a Python script, the content of
> > > __init__.py is compiled into bytecode and the result is saved into a
> > > file if it is allowed. For example, when root runs with Python 3.7 a
> > > script that uses "import selinux" on a system where SELinux is in
> > > permissive mode, this file may be created:
> > >
> > >     /usr/lib/python3.7/site-packages/selinux/__pycache__/__init__.cpython-37.pyc
> > >
> > > Prevent this file from being dynamically created by creating it when
> > > libselinux is installed, using "python -m compileall".
> > >
> > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> >
> > As far as I know, this not typically done by "setup.py install", and
> > this is generally left to distributions.
>
> Hello, this is done when a parameter such as "--optimize=1" is given
> to "python setup.py install". Such a parameter is described in Arch
> Linux packaging guidelines
> (https://wiki.archlinux.org/index.php/Python_package_guidelines#distutils).
> Nevertheless I agree it seems to be left to distributions whether to
> bytecode-compile Python modules.

I have spent some time working on these patches, and it appears that
the base assumption of "this not typically done by setup.py install"
is not true on my system (Arch Linux with Python 3.7): setup.py *DOES*
compile bytecode into .pyc files. What the distribution I'm using does
when packaging is giving a parameter such as --optimize=1 in order to
create .opt-1.pyc files too. Currently, python/sepolicy/Makefile
already uses setup.py (cf.
https://github.com/SELinuxProject/selinux/blob/selinux-python-3.0-rc1/python/sepolicy/Makefile#L30),
so .pyc files are already generated in some Makefiles of the project.

Could you please confirm that "setup.py install" does not compile
Python scripts into bytecode on your system? This test can be achieved
for example by cloning https://github.com/SELinuxProject/selinux,
running "make -C python/sepolicy DESTDIR=/tmp/selinux install" and
searching for .pyc files in /tmp/selinux.

If "setup.py install" produces .pyc files on every system, from my
point of view there are several alternatives that can be considered:

1. Keep the current behavior by default and introduce a COMPILE_PY
boolean variable in Makefiles that produces both .pyc and .opt-1.pyc
files in Makefiles that do not use setup.py.
2. Generate .pyc files everywhere (what my patches do), and introduce
a OPTIMIZE_PY boolean variable in Makefiles that is used to trigger
the compilation to .opt-1.pyc files.
3. Mix 2 and 3 by introducing both COMPILE_PY and OPTIMIZE_PY.
4. Find a way for "setup.py install" not to produce such files in
python/sepolicy/Makefile and do as 1 or 3.

(A 5th option would be to compile both .pyc and .opt-1.pyc files
without introducing new variables, but this would go against what
appears to be a legitimate user request)

My personal preference here would be either 1. or 2. Would one of
these options suits Buildroot maintainers better?

Thanks,
Nicolas