(Also, thanks everyone for so far taking extra effort to be civil when discussing the topic of vendored dependencies, which I know touches a nerve for people.)
On Sat, Feb 10, 2024 at 4:36 PM William Stein <wst...@gmail.com> wrote: > > Hi Dima, > > I believe I'm the person who introduced that long standing policy. It > was indeed motivated by a significant paying customer's requirement > to install Sage entirely from source, and without an external network. > I believe no such customers have supported the Sage project for about > a decade, so I'm very supportive of removing this policy. > > It's possible to install pip packages without an internet connection, > and it's also > more likely that popular published pip packages are being scanned for > vulnerabilities > regularly, than it is that a vendored version of that same package in > the sage source > distro is being scanned. > > I hope you do bring this to a vote, and feel free to copy my above statement > of > support. > > I also strongly agree with Matthias that a vote about pip > installability may be considered > separately from a vote to add these testing packages. > > -- William > > On Sat, Feb 10, 2024 at 4:09 PM Dima Pasechnik <dimp...@gmail.com> wrote: > > > > > > > > On 10 February 2024 23:40:59 GMT, Matthias Koeppe > > <matthiaskoe...@gmail.com> wrote: > > >On Saturday, February 10, 2024 at 2:56:57 PM UTC-8 Dima Pasechnik wrote: > > > > > >yes, make them standard, but keep them pip packages (i.e. no version > > >pinning, no tarballs/checksums). > > > > > > > > >By current policy, "standard" packages cannot be "pip" packages. This is > > >documented in > > >https://deploy-livedoc--sagemath.netlify.app/html/en/developer/packaging#package-source-types > > > > > >I believe the reason is that it would conflict with the longstanding > > >practice of the project to ship Sage releases in the form of a > > >self-contained source tarball, from which Sage can be installed in an > > >environment without network access. > > > > It's long overdue to revise this policy. > > If someone wants to use Sage in a 3-letter agency-like environment, we need > > not facilitate this admittedly rare scenario, we are not in spyware tools > > business after all. > > > > Besides, it is hard to create an installation medium with all the necessary > > extra packages on it, e.g. by downloading these missing wheels while > > running "make dist" (or whatever is used to create these tarballs) > > > > How about we initiate a vote on letting standard packages be pip packages? > > > > > > > > > > > > > >I will note that I personally never use these tarballs (nor have I > > >recommended to anyone to use them), but historically it has been the > > >expectation of the community. See for example the 2016 sage-devel thread > > >https://groups.google.com/g/sage-devel/c/C7-ho1zvEYU/m/Ep8i-cbHAgAJ on a > > >similar topic. > > > > > >So for the purpose of the present poll, let us assume that the packages > > >would be added as standard "wheel" packages. > > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "sage-devel" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to sage-devel+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/sage-devel/764854CA-8AFD-4FB2-8A51-42F58BDE5D31%40gmail.com. > > > > -- > William (http://wstein.org) -- William (http://wstein.org) -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CACLE5GBOw0jiPuq3T49jnQg1AwV4gwxDOHZNcb7b16_rO6-kVg%40mail.gmail.com.
