Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

import-style prevents vendoring

See original GitHub issue

I just tried to vendor TUF into pip (in other words embed the tuf sources inside pip sources) and it fails (even with #1160 fixed) because of the import style used in TUF source code itself:

import tuf.download

Using this (instead of relative imports) means tuf needs to be installed to python path for the imports to work.

I’ve looked at the dozen other projects pip vendors and the system seems to cope with two styles:

  1. Most projects use relative imports like
from . import treebuilders
from .treebuilders.base import Marker
  1. The other method is
from toml.decoder import InlineTableDict

The second style works because vendoring (the tool) modifies import NAME to from vendored.path import NAME and from NAME.module import something to from vendored.path.NAME.module import something. I assume this is mostly done so vendored dependencies of vendored projects work (so e.g. vendored tuf can “import securesystemslib”). In any case the TUF style cannot be automatically modified as far as I can tell.

I’ll try to add reproduction instructions that don’t require my pip branch…

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:19 (19 by maintainers)

github_iconTop GitHub Comments

2reactions
jkucommented, Oct 7, 2020

All of TUF dependencies are already pip dependencies (so succesfully vendored) except SSL and iso8601 (which is a single file library).

If we have to choose between relative imports and importing names (functions, globals, etc) directly, I too vote for the former. At least this requirement will make it easy to choose an import style convention. 😃

I’m researching more clever alternatives as both of these options mean a massive PR: ~700 actual code lines would need to change and the possibility of a namespace mistake is real. I’ll try to have a possible solution for discussion by tomorrow.

1reaction
lukpuehcommented, Oct 15, 2020

Regarding the other pain points you mentioned …

repository_tool, developer_tool and repository_lib could live somewhere where they would not be confused for library parts (assuming they are not parts of the library like I think): tuf/scripts/ maybe or a directory of their own?

Agreed but probably not worth to change before the planned refactor? Definitely something to consider together with #1136 and #881. Maybe this warrants a separate over-arching module architecture design issue? Also https://github.com/theupdateframework/tuf/issues/1134#issuecomment-690091176 seems related.

unittest_toolbox should just be moved to tests/

Agreed but IMO low-prio.unittest_toolbox should probably also be subjected to a revision.

download and mirrors should probably be moved to tuf/client/

Agreed but see both comments above and #1135.

pylint does not understand the tuf import style at least in the unused-imports check: as a result we have some unused internal imports in our code.

I know. 😕 I’ve been meaning to at least submit an issue for this for a long time (I will do this right now). FWIW, I’ve fixed this a long time ago in in-toto and have created a ticket in securesystemslib, which both adopted their linter config from tuf (see https://github.com/secure-systems-lab/securesystemslib/issues/243).

we are not very consistent in imports: lots of files use e.g. securesystemslib modules without importing them (and trust that someone else is importing them)

I know. 😕 I think a sensible linter config would catch this (see above).

Read more comments on GitHub >

github_iconTop Results From Across the Web

tar.gz release does not contain LICENSE · Issue #1160 ... - GitHub
This prevents vendoring tuf using the vendoring tool: I could patch the license in but unfortunately the license file check is done on...
Read more >
Best way to include CSS? Why use @import? - Stack Overflow
From a page speed standpoint, @import from a CSS file should almost never be used, as it can prevent stylesheets from being downloaded...
Read more >
MiniCssExtractPlugin - webpack
This also prevents the CSS duplication issue one had with the ExtractTextPlugin. ... import "./style.scss"; let theme = "light"; const themes = {} ......
Read more >
import style in react Code Example - Code Grepper
Multiple inline styles Content.
Read more >
React at Preact - CSS in JS
For fairness, I'm assuming the CSS in JS is written using a tool like Radium to provide CSS-like pseudo-selectors, media queries, and automated...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Updater feature request: verify chain of trust from bootstrapped root metadata

Next page

Make confined_target_dirs optional field in the MIRROR_SCHEMA