You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@arrow.apache.org by "ankane (via GitHub)" <gi...@apache.org> on 2023/03/04 20:56:32 UTC
[GitHub] [arrow] ankane opened a new issue, #34457: [Ruby] Ruby library (silently) installs system libraries
ankane opened a new issue, #34457:
URL: https://github.com/apache/arrow/issues/34457
### Describe the bug, including details regarding any error messages, version, and platform.
Hi, the `red-arrow` gem and its `gobject-introspection` dependency currently install a number of system libraries by running `apt-get install`, `brew install`, etc. commands (using the `native-package-installer` gem). I think this is surprising behavior for a gem (or a package/library in any language).
I think it would be better to either:
1. Instruct users how to install the libraries when not present rather than automatically install them
2. Vendor the libraries, so they are not installed system-wide and are removed when the gem is uninstalled
### Component(s)
Ruby
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@arrow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] assignUser commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "assignUser (via GitHub)" <gi...@apache.org>.
assignUser commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1457522413
@kou would a prompt asking the user for confirmation not be an option to address at least the visibility issue? Or is that not possible during the gem install process? In that case just printing a message might be nice?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1457440314
Thanks for clarifying your concern.
I can understand your concern but the first approach will not change the situation.
I think that here is a natural scenario for the first approach:
1. An user wants to install red-arrow gem
2. An user runs `gem install red-arrow` and it's failed with `You must run "brew install apache-arrow-glib"` error message because Apache Arrow GLib isn't installed (the first approach)
3. An user runs `brew install apache-arrow-glib` manually
4. An user runs `gem install red-arrow` again and it's succeeded
I think that most users do 3. as instructed. Most users don't choose another approach for 3. such as building Apache Arrow GLib by themself.
If an user does 3., `gem uninstall red-arrow` doesn't uninstall apache-arrow-glib formula.
If most users do 3. manually, it's convenient for most users that it's done automatically by default. It's my thought:
1. An user wants to install red-arrow gem
2. An user runs `gem install red-arrow` and it's succeeded because `gem install red-arrow` runs `brew install apache-arrow-glib` automatically
For advanced users, they can install Apache Arrow GLib by themself before they run `gem install red-arrow`. It prevents installing dependencies automatically.
We may need "dry-run" mode for `gem install red-arrow` for advanced users.
> the Python package takes the second approach (with binary distributions)
Yes. And I have a security concern for the second approach as I said. For example, we released pyarrow 10.0.1 for OpenSSL's CVE-2022-3786: https://arrow.apache.org/blog/2022/11/22/10.0.1-release/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] ankane commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "ankane (via GitHub)" <gi...@apache.org>.
ankane commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1460876855
fwiw, there's no output that indicates system libraries are being installed, nor is it mentioned in the readme (which currently tells you to install Apache Arrow GLib yourself). You can check this yourself with:
```sh
gem install red-arrow
```
and
```sh
bundle init
bundle add red-arrow
bundle
```
As far as I know, the only place it'd currently be possible is with a static post-install message (however, telling users after the fact still isn't ideal).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] ankane commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "ankane (via GitHub)" <gi...@apache.org>.
ankane commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1457453420
The difference between the current approach and the first suggested approach is the user understands they're installing a system library - it doesn't happen automatically and silently (this is likely why other libraries don't use this approach).
Unfortunately, it sounds like we have pretty different opinions on this, but thank you for taking the time to respond.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1457689169
> would a prompt asking the user for confirmation not be an option to address at least the visibility issue?
I'm OK with it only when tty is associated.
> In that case just printing a message might be nice?
This is already done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1454910681
I can understand your surprise but I think that installing system libraries automatically is the best solution.
> Instruct users how to install the libraries when not present rather than automatically install them
This is an approach that Passenger uses:
https://github.com/phusion/passenger/blob/HEAD/resources/templates/nginx/nginx_module_sources_not_available.txt.erb
But it frustraites users because `gem install X` -> `error: run apt-get install A` -> `sudo apt-get install A` -> `gem install X (again)` -> `error: run apt-get install B` -> ...
> Vendor the libraries, so they are not installed system-wide and are removed when the gem is uninstalled
This is an approach that Nokogiri uses. This approach has a security concern. If one of vendored libraries (e.g.: Apache Arrow C++ may depend on OpenSSL) has a vulnerability, we need to release a new version quickly. It increases maintenance cost.
BTW, what is your real concern? Is it just surprise?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1459160349
OK.
I reconsider this including RubyGems improvement later.
For example, I'll discuss this with RubyGems developers in RubyKaigi 2023.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] ankane closed issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "ankane (via GitHub)" <gi...@apache.org>.
ankane closed issue #34457: [Ruby] Ruby library (silently) installs system libraries
URL: https://github.com/apache/arrow/issues/34457
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] assignUser commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "assignUser (via GitHub)" <gi...@apache.org>.
assignUser commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1454891772
Hey thanks for the report. I am not versed in ruby etiquette but from am R side I would agree that any (especially silent) changes to the global state of the host would be unexpected.
I think a Variante of 1 would be to ask the user before installing and allow to override that with an envar or so to allow the previous workflow to work when needed (unattended install, CI...)
Cc @kou
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] ankane commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "ankane (via GitHub)" <gi...@apache.org>.
ankane commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1457108765
The concern is what @assignUser mentioned - I don't think a gem should change the global state of the host. With Homebrew (and possibly other package managers), installing a new formula can update dependencies and other libraries that use those dependencies. Also, when the gem is uninstalled, the system libraries will still be there.
fwiw, the Python package takes the second approach (with binary distributions), which makes it much easier to install, but I think the first approach would be easiest to do for now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] assignUser commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "assignUser (via GitHub)" <gi...@apache.org>.
assignUser commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1458639751
> This is already done.
Ah I see so it's not actually silently installing and I see how a confirmation could mess up existing workflows. As won't be able to implement it I defer to you regarding this ofc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1460913301
> there's no output that indicates system libraries are being installed
The message is included in `extconf.rb` output.
We can see it by `gem install --verbose red-arrow` or `$(gem env GEM_HOME)/extensions/*/*/red-arrow-*/gem_make.out`.
> nor is it mentioned in the readme
Ah, I didn't notice it. Thanks. We can improve it.
> the only place it'd currently be possible is with a static post-install message
The post-install message is static as you said. If we use it, we need to show a message when dependencies aren't installed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] kou commented on issue #34457: [Ruby] Ruby library (silently) installs system libraries
Posted by "kou (via GitHub)" <gi...@apache.org>.
kou commented on issue #34457:
URL: https://github.com/apache/arrow/issues/34457#issuecomment-1460916776
FYI: RubyInstaller for Windows has a feature to install dependencies automatically: https://github.com/oneclick/rubyinstaller2/wiki/For-gem-developers#user-content-msys2-library-dependency
If RubyGems itself has a similar feature, our situation may be changed. So:
> I'll discuss this with RubyGems developers in RubyKaigi 2023.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org