-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(releases): build wheels for Python package #549
base: master
Are you sure you want to change the base?
ci(releases): build wheels for Python package #549
Conversation
- master | ||
tags: | ||
- release-*cli-* | ||
pull_request: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably need to remove this trigger, the jobs take too long for PRs. I don't know about your release workflow, but ideally the jobs are run before a release tag for taplo-cli
can be created.
Python itself links against system OpenSSL, so we shouldn’t bundle it unless we can commit to frequent security updates: https://peps.python.org/pep-0513/#security-implications The manylinux project itself only bundles it when the system OpenSSL version is too old: https://github.com/pypa/manylinux/blob/ea3724609ced892adb65f4d091cc01f1231d0235/docker/build_scripts/build-openssl.sh#L28 |
Ah okay thanks. Then I don't get why the wheels without vendored OpenSSL cannot run on Linux. See this failed job or try installing the wheels from its artifacts, e.g.: gh run download 7814055668 -n wheels -D wheels --repo redeboer/taplo
pip install --no-index --find-links wheels/ taplo
taplo --help |
The job failure happens because the maturin action runs in some ancient container with OpenSSL 1.0.x (libssl.so.10), whereas modern systems have OpenSSL 3 (libssl.so.3). The built library then links against the ancient ABI instead of the modern one. I think the way the manywheels action works is that it first builds against a newer OpenSSL and then removes the OpenSSL library. That way it links against the OpenSSL 3 ABI. But maybe I’m wrong and for adequate compatibility one needs to bundle OpenSSL like you do. In that case, we’re stuck with having to do frequent releases whenever there’s some OpenSSL security patch 😞 |
Afaics the maturin actions just uses the manylinux_2014 container and that comes with OpenSSL 1.0.x: $ docker run --rm -it quay.io/pypa/manylinux2014_x86_64 openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017 In fact, I wonder why taplo/.github/workflows/python.yml Lines 45 to 46 in ebdb3e3
Indeed, this is the Catch-22 :S convenience (and insecurity?) of bundling OpenSSL, or pointing to shared libraries... |
Is there anything blocking this from being merged? |
From my side:
Details in the comments above |
Yeah, I think there’s no way around bundling at the moment, and having only 64 bit wheels is probably fine for now. If someone wants 32 bit, they can start complaining I guess. |
This would be lovely! Is it anticipated the PyPI package would carry the A big thing for making this an easily-adoptable tool for the broader python ecosystem would be if |
The version number of the PyPI package is the same as that of the Line 29 in 3487ebe
Good point. Not sure if a name clash should be avoided here, it's still the same CLI that is installed, right? (Or does conda-forge provide all the crates?) I'm thinking about https://anaconda.org/conda-forge/graphviz vs https://anaconda.org/conda-forge/python-graphviz. These are actually different packages, one being the actual DOT parser, the other the Python interface. I don't think we have the same situation with taplo on PyPI and taplo on conda-forge. Both are just a CLI tool afaiu.
I agree, would also love to see that. Haven't found an issue on this in this repo, could you post one? So |
"Same" is a... big word: unlike If the anticipated wheels don't provide any Python API (e.g.
|
Hmm fair enough, yes. Tbh this PR was mostly motivated by making it easier to run
So you mean that the conda-forge feedstock would just pull from PyPI? If so, should taplo/.github/workflows/python.yml Lines 22 to 24 in 3487ebe
|
For most python packages, yes: we use Back on |
Alright, so for this PR, what should be changed? 😅 I think a better name for PyPI would indeed be Line 6 in 3487ebe
|
To be clear: I am not suggesting what |
As discussed in ComPWA/mirrors-taplo#13 (comment), here is an attempt to build Python package wheels with Maturin. That would make it way easier for the Python community to integrate Taplo into their workflow and would also make it possible to host a fast Taplo pre-commit hook (#535).
A test
taplo
pip package is available here:https://pypi.org/project/taplo-test
And you can use this as a test pre-commit hook:
OpenSSL dependency
Building wheels for MacOS and Windows was easy, but I ran into trouble with Linux because of the apparent need for OpenSSL. I thought that OpenSSL is not a dependency anymore (#302), but it is still pulled in indirectly through
reqwest
:taplo/crates/taplo-cli/Cargo.toml
Lines 31 to 33 in 4bf7b53
It seems that
reqwest
is used in several of the taplo crates, so I presume we have to deal with OpenSSL as a dependency. Manylinux does not offer OpenSSL however, which resulted in broken wheels. I therefore addedopenssl
as an optional dependency with the vendored flag, i.e.cargo build --features vendored-openssl
(open to suggestions for a better name).1Even though that solution solution seems to work2, it only 'bakes' openssl into the wheels for Linux x86_64: the 32-bit version is still built with shared openssl lib, because its manylinux still runs into problems building with vendored OpenSSL. And I haven't managed to test whether those wheels actually work.
Important
Who can help test whether the x86 wheels work? You can try the
taplo-test
package or the artifacts from the job.PyPI release
I'm happy to help maintain this repository (#403), especially the Python release. For now, however, we need to somehow share a
MATURIN_PYPI_TOKEN
for the workflow. Who of the Taplo maintainers is also on PyPI?Pre-commit hook
To address #535, it will be necessary to put the
.pre-commit-hooks.yaml
under a different config (see example repo here). The reason is that (1) it speeds up the pre-commit clone and (2) this repo already has apyproject.toml
for the Maturin build. This would be an argument for creating a 'Taplo organization' #403 (comment). 3Footnotes
55c7e96 upgrades the lock files to keep the diff of 2ef0d97 small; you can revert that lock update if preferred. ↩
This is the job that published the
taplo-test
package. ↩An organization would also make it easier to extract the VSCode extension to separate repo. ↩