tahoe-lafs/trac
2
0
Issues 1.1k Wiki Activity

pyOpenSSL 0.14 pulls in a bunch of new dependencies #2193

New issue
Closed
opened 2014-03-05 04:05:38 +00:00 by daira · 38 comments
daira commented 2014-03-05 04:05:38 +00:00
Copy link
$ cat pyOpenSSL-0.14-py2.7.egg/EGG-INFO/requires.txt
cryptography>=0.2.1
six>=1.5.2

cryptography in turn depends on cffi and pycparser, resulting in the following warnings:

$ tahoe --version-and-path
allmydata-tahoe: 1.10.0 (/usr/local/lib/python2.7/dist-packages)
foolscap: 0.6.4 (/usr/local/lib/python2.7/dist-packages)
pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958 (/usr/local/lib/python2.7/dist-packages)
zfec: 1.4.24 (/usr/local/lib/python2.7/dist-packages)
Twisted: 13.2.0 (/usr/local/lib/python2.7/dist-packages)
Nevow: 0.10.0 (/usr/local/lib/python2.7/dist-packages)
zope.interface: unknown (/usr/local/lib/python2.7/dist-packages/zope)
python: 2.7.3 (/usr/bin/python)
platform: Linux-debian_7.4-x86_64-64bit_ELF (None)
pyOpenSSL: 0.14 (/usr/local/lib/python2.7/dist-packages)
simplejson: 3.3.3 (/usr/local/lib/python2.7/dist-packages)
pycrypto: 2.6.1 (/usr/local/lib/python2.7/dist-packages)
pyasn1: 0.1.7 (/usr/local/lib/python2.7/dist-packages)
mock: 1.0.1 (/usr/local/lib/python2.7)
setuptools: 2.2 (/usr/local/lib/python2.7/dist-packages/setuptools-2.2-py2.7.egg)
 
Warning: dependency 'cryptography' (version '0.2.2') found by pkg_resources not found by import.
Warning: dependency 'six' (version '1.5.2') found by pkg_resources not found by import.
Warning: dependency 'cffi' (version '0.8.1') found by pkg_resources not found by import.
Warning: dependency 'pycparser' (version '2.10') found by pkg_resources not found by import.
 
For debugging purposes, the PYTHONPATH was
  None
install_requires was
  ['setuptools >= 0.6c6', 'zfec >= 1.1.0', 'simplejson >= 1.4', 'zope.interface == 3.6.0, == 3.6.1, == 3.6.2, >= 3.6.5', 'Twisted >= 11.0.0', 'foolscap >= 0.6.3', 'pyOpenSSL', 'Nevow >= 0.6.0', 'pycrypto == 2.1.0, == 2.3, >= 2.4.1', 'pyasn1 >= 0.0.8a', 'mock >= 0.8.0', 'pycryptopp >= 0.6.0']
sys.path after importing pkg_resources was
  /usr/local/bin:
  /usr/local/lib/python2.7/dist-packages/pip-1.5.4-py2.7.egg:
  /usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg:
  /usr/local/lib/python2.7/dist-packages/setuptools-2.2-py2.7.egg:
  /usr/lib/python2.7:
  /usr/lib/python2.7/plat-linux2:
  /usr/lib/python2.7/lib-tk:
  /usr/lib/python2.7/lib-old:
  /usr/lib/python2.7/lib-dynload:
  /usr/local/lib/python2.7/dist-packages:
  /usr/lib/python2.7/dist-packages

This is annoying, since it's going backwards with respect to our goal of reducing the number of crypto library dependencies.

``` $ cat pyOpenSSL-0.14-py2.7.egg/EGG-INFO/requires.txt cryptography>=0.2.1 six>=1.5.2 ``` `cryptography` in turn depends on `cffi` and `pycparser`, resulting in the following warnings: ``` $ tahoe --version-and-path allmydata-tahoe: 1.10.0 (/usr/local/lib/python2.7/dist-packages) foolscap: 0.6.4 (/usr/local/lib/python2.7/dist-packages) pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958 (/usr/local/lib/python2.7/dist-packages) zfec: 1.4.24 (/usr/local/lib/python2.7/dist-packages) Twisted: 13.2.0 (/usr/local/lib/python2.7/dist-packages) Nevow: 0.10.0 (/usr/local/lib/python2.7/dist-packages) zope.interface: unknown (/usr/local/lib/python2.7/dist-packages/zope) python: 2.7.3 (/usr/bin/python) platform: Linux-debian_7.4-x86_64-64bit_ELF (None) pyOpenSSL: 0.14 (/usr/local/lib/python2.7/dist-packages) simplejson: 3.3.3 (/usr/local/lib/python2.7/dist-packages) pycrypto: 2.6.1 (/usr/local/lib/python2.7/dist-packages) pyasn1: 0.1.7 (/usr/local/lib/python2.7/dist-packages) mock: 1.0.1 (/usr/local/lib/python2.7) setuptools: 2.2 (/usr/local/lib/python2.7/dist-packages/setuptools-2.2-py2.7.egg) Warning: dependency 'cryptography' (version '0.2.2') found by pkg_resources not found by import. Warning: dependency 'six' (version '1.5.2') found by pkg_resources not found by import. Warning: dependency 'cffi' (version '0.8.1') found by pkg_resources not found by import. Warning: dependency 'pycparser' (version '2.10') found by pkg_resources not found by import. For debugging purposes, the PYTHONPATH was None install_requires was ['setuptools >= 0.6c6', 'zfec >= 1.1.0', 'simplejson >= 1.4', 'zope.interface == 3.6.0, == 3.6.1, == 3.6.2, >= 3.6.5', 'Twisted >= 11.0.0', 'foolscap >= 0.6.3', 'pyOpenSSL', 'Nevow >= 0.6.0', 'pycrypto == 2.1.0, == 2.3, >= 2.4.1', 'pyasn1 >= 0.0.8a', 'mock >= 0.8.0', 'pycryptopp >= 0.6.0'] sys.path after importing pkg_resources was /usr/local/bin: /usr/local/lib/python2.7/dist-packages/pip-1.5.4-py2.7.egg: /usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg: /usr/local/lib/python2.7/dist-packages/setuptools-2.2-py2.7.egg: /usr/lib/python2.7: /usr/lib/python2.7/plat-linux2: /usr/lib/python2.7/lib-tk: /usr/lib/python2.7/lib-old: /usr/lib/python2.7/lib-dynload: /usr/local/lib/python2.7/dist-packages: /usr/lib/python2.7/dist-packages ``` This is annoying, since it's going backwards with respect to our goal of reducing the number of crypto library dependencies.
daira added the
c/packaging
p/normal
t/defect
v/1.10.0
 labels 2014-03-05 04:05:38 +00:00
daira added this to the undecided milestone 2014-03-05 04:05:38 +00:00
daira commented 2014-03-06 01:42:37 +00:00
Author
Copy link
daira: SwedFTP: line 286 or thereabouts of src/allmydata/*init*.py should say:
daira:     ignorable = set(['argparse', 'pyutil', 'zbase32', 'distribute', 'twisted-web', 'twisted-core', 'twisted-conch'])
daira: change it to:
daira:     ignorable = set(['argparse', 'pyutil', 'zbase32', 'distribute', 'twisted-web', 'twisted-core', 'twisted-conch', 'cryptography', 'six', 'cffi', 'pycparser'])
daira: and reinstall tahoe
daira: then try 'tahoe --version-and-path' again
[...]
SwedFTP: daira1, daira , that fixes the issue <http://pastebin.com/vXLGXfem>
[...]
daira1: excellent, thanks for testing that
``` daira: SwedFTP: line 286 or thereabouts of src/allmydata/*init*.py should say: daira: ignorable = set(['argparse', 'pyutil', 'zbase32', 'distribute', 'twisted-web', 'twisted-core', 'twisted-conch']) daira: change it to: daira: ignorable = set(['argparse', 'pyutil', 'zbase32', 'distribute', 'twisted-web', 'twisted-core', 'twisted-conch', 'cryptography', 'six', 'cffi', 'pycparser']) daira: and reinstall tahoe daira: then try 'tahoe --version-and-path' again [...] SwedFTP: daira1, daira , that fixes the issue <http://pastebin.com/vXLGXfem> [...] daira1: excellent, thanks for testing that ```
daira commented 2014-03-06 01:45:22 +00:00
Author
Copy link

Note that the change in comment:396250 only hides the warning. We need to decide whether the additional dependency on cryptography is acceptable, and require pyOpenSSL == 0.13 if it is not. (The cryptography dependency is via pyOpenSSL 0.14.)

Note that the change in [comment:396250](/tahoe-lafs/trac/issues/2193#issuecomment-396250) only hides the warning. We need to decide whether the additional dependency on `cryptography` is acceptable, and require `pyOpenSSL == 0.13` if it is not. (The `cryptography` dependency is via pyOpenSSL 0.14.)
zancas commented 2014-03-07 19:02:56 +00:00
Copy link

Relevant to this issue, is my experience provisioning new S4 subscriptions.
The provisioning process began failing unexpectedly on Tuesday March 03, 2014.

I don't immediately recall when I last ran it prior to that, but it was probably within a week (i.e. since Februrary 24th).

I ssh'd in to the SSEC2 which had been launched during the failed provisioning.
I manually repeated the provisioning steps until I reached the first step that failed.

The failing step was: sudo python ./setup.py install run in the context of txAWS-0.2.1.post4 's 'base' directory.

I upgraded the version of txAWS used during deployment to post5 , by applying a commit daira wrote a while back. post5 depends on python-dateutil instead of Epsilon.

Here's the relevant commit: <https://github.com/LeastAuthority/leastauthority.com/commit/05ce3d44708c89158c6ae828d2a11827b74001f7>

After making only that change, the S4 provisioning process began functioning as expected again. (As evidenced by a "smoke-test" on an S4 instance provisioned as above.)

The following is the version info from the provisioned S4:

customer@ip-10-185-216-61:~$ /home/customer/LAFS_source/bin/tahoe --version                                                                          
allmydata-tahoe: 1.9.1.dev1,
foolscap: 0.6.3,
pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958,
zfec: 1.4.24,
Twisted: 12.2.0,
Nevow: 0.10.0,
zope.interface: unknown,
python: 2.7.3,
platform: Linux-Ubuntu_12.04-i686-32bit_ELF,
pyOpenSSL: 0.12,
simplejson: 2.3.2,
pycrypto: 2.4.1,
pyasn1: 0.1.7,
mock: 1.0.1,
sqlite3: 2.6.0 [sqlite 3.7.9],
setuptools: 0.6c16dev3

customer@ip-10-185-216-61:~$

And the version of txAWS:

customer@ip-10-185-216-61:~$ python -c 'import txaws;print txaws'
<module 'txaws' from '/usr/local/lib/python2.7/dist-packages/txAWS-0.2.1.post5-py2.7.egg/txaws/__init__.pyc'>
customer@ip-10-185-216-61:~$

As you can see from the tahoe version information, the current version deployed with S4, does not depend on cryptography because the version of pyOpenSSL it uses is: 0.12.
When we upgrade to newer versions of Tahoe-LAFS (an urgent needed upgrade, to fulfill customer-driven feature requests) however, this issue will effect S4.

Finally the upgrade to txAWS-0.2.1.post5 is not in production, and we can therefore expect new signups to fail.

Relevant to this issue, is my experience provisioning new S4 subscriptions. The provisioning process began failing unexpectedly on Tuesday March 03, 2014. I don't immediately recall when I last ran it prior to that, but it was probably within a week (i.e. since Februrary 24th). I ssh'd in to the SSEC2 which had been launched during the failed provisioning. I manually repeated the provisioning steps until I reached the first step that failed. The failing step was: `sudo python ./setup.py install` run in the context of `txAWS-0.2.1.post4` 's 'base' directory. I upgraded the version of txAWS used during deployment to `post5` , by applying a commit daira wrote a while back. `post5` depends on `python-dateutil` instead of `Epsilon`. Here's the relevant commit: `<https://github.com/LeastAuthority/leastauthority.com/commit/05ce3d44708c89158c6ae828d2a11827b74001f7>` After making _only_ that change, the S4 provisioning process began functioning as expected again. (As evidenced by a "smoke-test" on an S4 instance provisioned as above.) The following is the version info from the provisioned S4: ``` customer@ip-10-185-216-61:~$ /home/customer/LAFS_source/bin/tahoe --version allmydata-tahoe: 1.9.1.dev1, foolscap: 0.6.3, pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958, zfec: 1.4.24, Twisted: 12.2.0, Nevow: 0.10.0, zope.interface: unknown, python: 2.7.3, platform: Linux-Ubuntu_12.04-i686-32bit_ELF, pyOpenSSL: 0.12, simplejson: 2.3.2, pycrypto: 2.4.1, pyasn1: 0.1.7, mock: 1.0.1, sqlite3: 2.6.0 [sqlite 3.7.9], setuptools: 0.6c16dev3 customer@ip-10-185-216-61:~$ ``` And the version of txAWS: ``` customer@ip-10-185-216-61:~$ python -c 'import txaws;print txaws' <module 'txaws' from '/usr/local/lib/python2.7/dist-packages/txAWS-0.2.1.post5-py2.7.egg/txaws/__init__.pyc'> customer@ip-10-185-216-61:~$ ``` As you can see from the tahoe version information, the _current_ version deployed with S4, does _not_ depend on cryptography because the version of pyOpenSSL it uses is: `0.12`. When we upgrade to newer versions of Tahoe-LAFS (an urgent needed upgrade, to fulfill customer-driven feature requests) however, this issue will effect S4. Finally the upgrade to txAWS-0.2.1.post5 is _not_ in production, and we can therefore expect new signups to fail.
zancas commented 2014-03-07 19:29:50 +00:00
Copy link

Also, as Daira pointed out elsewhere, the version of pyOpenSSL selected by setuptools when building ticket999-S3-backend, is liable to unpredictably change.

Also, as Daira pointed out elsewhere, the version of pyOpenSSL selected by setuptools when building ticket999-S3-backend, is liable to unpredictably change.
zooko commented 2014-03-24 20:22:17 +00:00
Copy link

dstufft asked on IRC why this is such a big deal to us, and my answer was that for us resolving a dependency is a user-facing action, so if a dependency of ours (pyOpenSSL) gains a new dependency (cryptography.io), then that is not just a developer-facing issue, but is in fact a regression for our users. That's because our users start with this document: [quickstart.rst]source:docs/quickstart.rst, and follow the instructions written there, and at the end they have a working bin/tahoe script. Before the pyOpenSSL v0.14 release came out, following those instructions worked for most users, after the pyOpenSSL v0.14 release came out, it did not work for most users (because the new dependencies of pyOpenSSL cannot be automatically resolved by setuptools, especially considering that most users do not have a C compiler and Python header files installed). So it is a regression for us.

I intend to pin our dependency on pyOpenSSL to pyOpenSSL < 0.14 for now.

(We don't really rely on pyOpenSSL for much anyway, so if we could in fact remove the dependency on pyOpenSSL entirely, that would be nice. See also [tickets with "openssl" in their tags]query:status=!closed&keywords=~openssl&order=priority.)

dstufft asked on IRC why this is such a big deal to us, and my answer was that for us resolving a dependency is a *user-facing* action, so if a dependency of ours (pyOpenSSL) gains a new dependency (cryptography.io), then that is not just a developer-facing issue, but is in fact a *regression* for our users. That's because our users start with this document: [quickstart.rst]source:docs/quickstart.rst, and follow the instructions written there, and at the end they have a working `bin/tahoe` script. Before the pyOpenSSL v0.14 release came out, following those instructions worked for most users, after the pyOpenSSL v0.14 release came out, it did not work for most users (because the new dependencies of pyOpenSSL cannot be automatically resolved by setuptools, especially considering that most users do not have a C compiler and Python header files installed). So it is a regression for us. I intend to pin our dependency on pyOpenSSL to `pyOpenSSL < 0.14` for now. (We don't really rely on pyOpenSSL for much anyway, so if we could in fact *remove* the dependency on pyOpenSSL entirely, that would be nice. See also [tickets with "openssl" in their tags]query:status=!closed&keywords=~openssl&order=priority.)
glyph commented 2014-03-24 21:03:59 +00:00
Owner
Copy link

Replying to zooko:

dstufft asked on IRC why this is such a big deal to us

If you are telling end-users and not developers to install a tool with a development toolchain (and setuptools is definitely a development toolchain) then perhaps the problem is with the instructions? Your dependencies' dependencies should not be a user-visible change.

Have you considered creating distributions for end-users that bundle everything together into a single file, bundle, or linux distro package, so that dependency issues like this aren't exposed? Or perhaps at least updating quickstart.rst to use contemporary tools, i.e. pip and virtualenv, rather than ez_setup?

These dependencies can be automatically resolved by pip. There are already binary wheels for Windows so those folks don't need a C compiler. And in the coming months my understanding is that this will be extended to OS X as well.

I intend to pin our dependency on pyOpenSSL

By pinning this dependency you're opting out of all potential future security updates for pyOpenSSL which seems like a bad idea, if you depend on it at all. And the move to Cryptography and thereby cffi is a huge upgrade to the simplicity and security of the basic implementation strategy of pyOpenSSL itself.

(We don't really rely on pyOpenSSL for much anyway, so if we could in fact remove the dependency on pyOpenSSL entirely, that would be nice.)

Removing the dependency might be nice. The OpenSSL API is rightly universally reviled. Although I would suggest that Cryptography is a promising new project to provide backend agility for cryptographic primitives and you should be depending upon it directly at some point in the future :-).

It's quite likely that Twisted will acquire a hard dependency on Cryptography or some other cffi-based project in the future, so this is probably worth working out now.

Replying to [zooko](/tahoe-lafs/trac/issues/2193#issuecomment-396254): > dstufft asked on IRC why this is such a big deal to us If you are telling end-users and not developers to install a tool with a development toolchain (and setuptools is definitely a development toolchain) then perhaps the problem is with the instructions? Your dependencies' dependencies should not be a user-visible change. Have you considered creating distributions for end-users that bundle everything together into a single file, bundle, or linux distro package, so that dependency issues like this aren't exposed? Or perhaps at least updating quickstart.rst to use contemporary tools, i.e. pip and virtualenv, rather than ez_setup? These dependencies can be automatically resolved by pip. There are already binary wheels for Windows so those folks don't need a C compiler. And in the coming months my understanding is that this will be extended to OS X as well. > I intend to pin our dependency on pyOpenSSL By pinning this dependency you're opting out of all potential future security updates for pyOpenSSL which seems like a bad idea, if you depend on it at all. And the move to Cryptography and thereby cffi is a *huge* upgrade to the simplicity and security of the basic implementation strategy of pyOpenSSL itself. > (We don't really rely on pyOpenSSL for much anyway, so if we could in fact *remove* the dependency on pyOpenSSL entirely, that would be nice.) Removing the dependency might be nice. The OpenSSL API is rightly universally reviled. Although I would suggest that Cryptography is a promising new project to provide backend agility for cryptographic primitives and you should be depending upon it directly at some point in the future :-). It's quite likely that Twisted will acquire a hard dependency on Cryptography or some other cffi-based project in the future, so this is probably worth working out now.
gdt commented 2014-03-29 18:43:40 +00:00
Owner
Copy link

In a packaging environment, having a pinned dependency on 0.13 is
really not ok, because upstream py-OpenSSL doesn't seem to provide for
parallel-installable multiple versions. So I think tahoe has to cope
with whatever upstream releases, or stop using py-OpenSSL. But
py-twisted uses pyOpenSSL, so it's not clear that what tahoe does
matters in the grand scheme of things.

longer version after I retyped when the above was lost to spam filtering:

Regarding pinnning the dependency to 0.13, I don't think that's a
resaonable approach. First, I think that any software that is broadly
successful is used almost entirely from prebuilt packages in various
packaging systems (or for us odd pkgsrc types, automatically built from
source using the packaging system, which amounts to the same thing).

My impression is that python generally does not support installing
multiple versions of a package, e.g py-OpenSSL 0.13.1 and 0.14 both.
(While pkgsrc has made python27 and python33 parallel installable, and
most libraries can have both at once, I haven't seen this extend to
individual libraries.) So a packaging system has to just pick a
version. Given that upstreams do not do security maintenance on
obsolete versions, the only reasonable choice is the latest, except that
taking a few months to move to a new release is also reasonable. So
packaging systems soon (within a year) will no longer offer py-OpenSSL
0.13.1.

Twisted also requires py-OpenSSL, so I think fighting this implies
pulling py-Twisted and py-OpenSSL into tahoe sources. That seems crazy
in terms of maintenance burden.

Overall, my impresssion is that we're seeing a big hiccup because of a
poorly-documented unexpected rototill, and that once packaging systems
catch up with the new dependencies, things will be ok as far as building
tahoe in a packaging system context (or installing deps from packaging
system and then building tahoe itself from source).

In a packaging environment, having a pinned dependency on 0.13 is really not ok, because upstream py-OpenSSL doesn't seem to provide for parallel-installable multiple versions. So I think tahoe has to cope with whatever upstream releases, or stop using py-OpenSSL. But py-twisted uses pyOpenSSL, so it's not clear that what tahoe does matters in the grand scheme of things. longer version after I retyped when the above was lost to spam filtering: Regarding pinnning the dependency to 0.13, I don't think that's a resaonable approach. First, I think that any software that is broadly successful is used almost entirely from prebuilt packages in various packaging systems (or for us odd pkgsrc types, automatically built from source using the packaging system, which amounts to the same thing). My impression is that python generally does not support installing multiple versions of a package, e.g py-OpenSSL 0.13.1 and 0.14 both. (While pkgsrc has made python27 and python33 parallel installable, and most libraries can have both at once, I haven't seen this extend to individual libraries.) So a packaging system has to just pick a version. Given that upstreams do not do security maintenance on obsolete versions, the only reasonable choice is the latest, except that taking a few months to move to a new release is also reasonable. So packaging systems soon (within a year) will no longer offer py-OpenSSL 0.13.1. Twisted also requires py-OpenSSL, so I think fighting this implies pulling py-Twisted and py-OpenSSL into tahoe sources. That seems crazy in terms of maintenance burden. Overall, my impresssion is that we're seeing a big hiccup because of a poorly-documented unexpected rototill, and that once packaging systems catch up with the new dependencies, things will be ok as far as building tahoe in a packaging system context (or installing deps from packaging system and then building tahoe itself from source).
daira commented 2014-03-29 20:11:09 +00:00
Author
Copy link

I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction. The actual mechanics of how to make Tahoe tolerate the dependency are not so much the issue here.

I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction. The actual mechanics of how to make Tahoe tolerate the dependency are not so much the issue here.
daira commented 2014-03-29 20:19:44 +00:00
Author
Copy link

Note that the only overlap between what cryptography.io provides, and what Tahoe-LAFS needs (and can't get from the Python standard lib) is AES and RSA. So we can't use it to remove any of our other crypto dependencies.

Note that the only overlap between what cryptography.io provides, and what Tahoe-LAFS needs (and can't get from the Python standard lib) is AES and RSA. So we can't use it to remove any of our other crypto dependencies.
glyph commented 2014-03-30 01:53:41 +00:00
Owner
Copy link

Replying to daira:

The actual mechanics of how to make Tahoe tolerate the dependency are not so much the issue here.

I strongly disagree. The mechanics of how to make Tahoe tolerate the dependency are the only issue here. If you want to talk about how pyOpenSSL should revert to being a giant pile of ad-hoc C code rather than a tiny wrapper around some statically-verified and well-tested wrappers for the OpenSSL API, the right place for that discussion would be the pyOpenSSL tracker, not here. (However, I can tell you that you're not likely to meet with much success with that proposal.)

pyOpenSSL implements a thing, and the hope here is that the way in which it implements this is abstracted and its clients, like Tahoe, should not need to care how it does it. Having dependencies is one way it might choose to implement this. It may acquire new dependencies in the future (as might Twisted, for that matter, for reasons having nothing to do with cryptography). It's deeply unfortunate that this addition broke things for Tahoe, and hopefully that won't happen in the future, but "your dependencies are part of your API contract and you can't ever add new ones" is not an acceptable constraint for Twisted; nor, I suspect, for any other thing that Tahoe depends on. We should work out how to do this non-destructively in the future. (Note that I believe the Cryptography 0.3 release resolves the installation issue at least for Windows users because it fixed the thing that would cause binary wheels to need to be rebuilt on the installer's system if a new release of cffi came out.)

I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction.

However, since you seem frustrated let me try to address that. It might be helpful to read the Cryptography team's rationale for creating something new rather than trying to maintain one of the existing options, but that's pretty brief.

First of all, Cryptography is not really "yet another ... cryptography library". My understanding is that it implements exactly no cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the CommonCrypto API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto).

(Please be aware that this is my interpretation and I'm not a Cryptography core developer.)

In light of this substantially improved approach, pyOpenSSL is really just a light wrapper around one of these layers. It would be very premature to say pyOpenSSL is "deprecated" – lots of existing software uses it, it'll likely be around for a very long time, and Cryptography doesn't implement nearly enough high-level functionality to replace it – but as Cryptography implements higher level functionality I think there's no real reason why one would rely on the pyOpenSSL version of that functionality rather than Cryptography's. If you use Cryptography, it will be doing your crypto functionality in a way that is multi-backend and doesn't, for example, require you to compile OpenSSL on Windows; instead you could just use existing Windows APIs for these algorithms.

For Twisted, all this stuff is a godsend. Instead of having some stdlib stuff and some pyOpenSSL stuff and some PyCrypto stuff (with known exploits) we can (eventually) just use one library to provide all of our security features.

Replying to daira:

Note that the only overlap between what cryptography.io provides, and what Tahoe-LAFS needs (and can't get from the Python standard lib) is AES and RSA. So we can't use it to remove any of our other crypto dependencies.

It's pretty early days for Cryptography. This is why I said "at some point in the future". They only added RSA like a couple of weeks ago, and the only high-level (i.e. non-"hazmat") thing implemented so far is Fernet. So there's a huge swath of functionality they're going to be adding already. If some of the Tahoe developers were to talk to the Cryptography folks, it might be easy to convince them to add all of your needs to the library in some form.

Since Tahoe uses more novel cryptographic primitives than many applications, it's possible that the Cryptography developers won't be interested in adding everything you need, but I really think it would be worthwhile to try; given the effort that those developers are investing in fixing their build and deployment story, it might make issues like this a lot easier to deal with in the future.

Replying to [daira](/tahoe-lafs/trac/issues/2193#issuecomment-396257): > The actual mechanics of how to make Tahoe tolerate the dependency are not so much the issue here. I strongly disagree. The mechanics of how to make Tahoe tolerate the dependency are the *only* issue here. If you want to talk about how pyOpenSSL should revert to being a giant pile of ad-hoc C code rather than a tiny wrapper around some statically-verified and [well-tested](https://travis-ci.org/pyca/cryptography) wrappers for the OpenSSL API, the right place for that discussion would be [the pyOpenSSL tracker](https://github.com/pyca/pyopenssl/issues), not here. (However, I can tell you that you're not likely to meet with much success with that proposal.) pyOpenSSL implements a thing, and the *hope* here is that the way in which it implements this is abstracted and its clients, like Tahoe, should not need to care how it does it. Having dependencies is one way it might choose to implement this. It may acquire new dependencies in the future (as might Twisted, for that matter, for reasons having nothing to do with cryptography). It's deeply unfortunate that this addition broke things for Tahoe, and hopefully that won't happen in the future, but "your dependencies are part of your API contract and you can't ever add new ones" is not an acceptable constraint for Twisted; nor, I suspect, for any other thing that Tahoe depends on. We should work out how to do this non-destructively in the future. (Note that I believe the Cryptography 0.3 release resolves the installation issue at least for Windows users because it fixed the thing that would cause binary wheels to need to be rebuilt on the installer's system if a new release of cffi came out.) > I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction. However, since you seem frustrated let me try to address that. It might be helpful to read [the Cryptography team's rationale for creating something new](https://cryptography.io/en/latest/#why-a-new-crypto-library-for-python) rather than trying to maintain one of the existing options, but that's pretty brief. First of all, Cryptography is not *really* "yet another ... cryptography library". My understanding is that it implements exactly *no* cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the [CommonCrypto](wiki/CommonCrypto) API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto). (Please be aware that this is my interpretation and I'm not a Cryptography core developer.) In light of this substantially improved approach, pyOpenSSL is really just a light wrapper around one of these layers. It would be very premature to say pyOpenSSL is "deprecated" – lots of existing software uses it, it'll likely be around for a very long time, and Cryptography doesn't implement nearly enough high-level functionality to replace it – but as Cryptography implements higher level functionality I think there's no real reason why one would rely on the pyOpenSSL version of that functionality rather than Cryptography's. If you use Cryptography, it will be doing your crypto functionality in a way that is multi-backend and doesn't, for example, require you to compile OpenSSL on Windows; instead you could just use existing Windows APIs for these algorithms. For Twisted, all this stuff is a godsend. Instead of having some stdlib stuff and some pyOpenSSL stuff and some [PyCrypto](wiki/PyCrypto) stuff (with known exploits) we can (eventually) just use one library to provide all of our security features. Replying to [daira](/tahoe-lafs/trac/issues/2193#issuecomment-396258): > Note that the only overlap between what cryptography.io provides, and what Tahoe-LAFS needs (and can't get from the Python standard lib) is AES and RSA. So we can't use it to remove any of our other crypto dependencies. It's pretty early days for Cryptography. This is why I said "at some point in the future". They only added RSA like a couple of weeks ago, and the only high-level (i.e. non-"hazmat") thing implemented so far is Fernet. So there's a huge swath of functionality they're going to be adding already. If some of the Tahoe developers were to talk to the Cryptography folks, it might be easy to convince them to add all of your needs to the library in some form. Since Tahoe uses more novel cryptographic primitives than many applications, it's possible that the Cryptography developers won't be interested in adding everything you need, but I really think it would be worthwhile to try; given the effort that those developers are investing in fixing their build and deployment story, it might make issues like this a lot *easier* to deal with in the future.
daira commented 2014-04-03 00:10:05 +00:00
Author
Copy link

Replying to [glyph]comment:12:

Replying to daira:

I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction.

However, since you seem frustrated let me try to address that. It might be helpful to read the Cryptography team's rationale for creating something new rather than trying to maintain one of the existing options, but that's pretty brief.

First of all, Cryptography is not really "yet another ... cryptography library". My understanding is that it implements exactly no cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the CommonCrypto API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto).

Well exactly, and this is the core of the issue. The decision to change the scope of pyOpenSSL from being a wrapper around just OpenSSL, to being something that depends on a considerably more ambitious project, came entirely out of the blue from the point of view of Tahoe-LAFS developers. Perhaps we should have been paying more attention, I don't know. I certainly don't have any objection to the cryptography project; what I have an objection to is the lack of any heads-up to projects depending on pyOpenSSL (a list of them is easily determined from the package metadata on PyPI) of a rather major design change.

Replying to [glyph]comment:12: > Replying to [daira](/tahoe-lafs/trac/issues/2193#issuecomment-396257): > > I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction. > > However, since you seem frustrated let me try to address that. It might be helpful to read [the Cryptography team's rationale for creating something new](https://cryptography.io/en/latest/#why-a-new-crypto-library-for-python) rather than trying to maintain one of the existing options, but that's pretty brief. > > First of all, Cryptography is not *really* "yet another ... cryptography library". My understanding is that it implements exactly *no* cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the [CommonCrypto](wiki/CommonCrypto) API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto). Well exactly, and this is the core of the issue. The decision to change the scope of `pyOpenSSL` from being a wrapper around just `OpenSSL`, to being something that depends on a considerably more ambitious project, came entirely out of the blue from the point of view of Tahoe-LAFS developers. Perhaps we should have been paying more attention, I don't know. I certainly don't have any objection to the `cryptography` project; what I have an objection to is the lack of any heads-up to projects depending on `pyOpenSSL` (a list of them is easily determined from the package metadata on PyPI) of a rather major design change.
daira commented 2014-04-03 00:13:07 +00:00
Author
Copy link

In any case, I guess we have no choice but to add cffi as another binary dependency. (The pure Python dependencies aren't so much a problem.) Sigh.

In any case, I guess we have no choice but to add `cffi` as another binary dependency. (The pure Python dependencies aren't so much a problem.) Sigh.
glyph commented 2014-04-03 05:04:58 +00:00
Owner
Copy link

Replying to [daira]comment:13:

Replying to [glyph]comment:12:

Replying to daira:

I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction.

However, since you seem frustrated let me try to address that. It might be helpful to read the Cryptography team's rationale for creating something new rather than trying to maintain one of the existing options, but that's pretty brief.

First of all, Cryptography is not really "yet another ... cryptography library". My understanding is that it implements exactly no cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the CommonCrypto API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto).

Well exactly, and this is the core of the issue. The decision to change the scope of pyOpenSSL from being a wrapper around just OpenSSL, to being something that depends on a considerably more ambitious project, came entirely out of the blue from the point of view of Tahoe-LAFS developers. Perhaps we should have been paying more attention, I don't know. I certainly don't have any objection to the cryptography project; what I have an objection to is the lack of any heads-up to projects depending on pyOpenSSL (a list of them is easily determined from the package metadata on PyPI) of a rather major design change.

This change was announced in January on the pyOpenSSL mailing list, and then on the Twisted list, and then again on the Twisted list, specifically stressing how major the change would be, not to mention the 4 other alpha pre-release announcements on those lists. I feel like this was reasonably broadly communicated. What more do you feel we should have done?

Replying to [daira]comment:13: > Replying to [glyph]comment:12: > > Replying to [daira](/tahoe-lafs/trac/issues/2193#issuecomment-396257): > > > I'm annoyed and frustrated by pyOpenSSL adding a dependency on yet another fucking cryptography library. It's going in entirely the wrong direction. > > > > However, since you seem frustrated let me try to address that. It might be helpful to read [the Cryptography team's rationale for creating something new](https://cryptography.io/en/latest/#why-a-new-crypto-library-for-python) rather than trying to maintain one of the existing options, but that's pretty brief. > > > > First of all, Cryptography is not *really* "yet another ... cryptography library". My understanding is that it implements exactly *no* cryptographic primitives itself. Instead, its mission is to be a comprehensive wrapper around and common interface to multiple back-ends which allow for using your platform's existing cryptography engine, allowing you to access things like hardware support and platform security updates without updating all of your application's code. For example, it's not just a wrapper around OpenSSL; it also wraps [the [CommonCrypto](wiki/CommonCrypto) API from OS X's security framework](https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/commoncrypto). > > Well exactly, and this is the core of the issue. The decision to change the scope of `pyOpenSSL` from being a wrapper around just `OpenSSL`, to being something that depends on a considerably more ambitious project, came entirely out of the blue from the point of view of Tahoe-LAFS developers. Perhaps we should have been paying more attention, I don't know. I certainly don't have any objection to the `cryptography` project; what I have an objection to is the lack of any heads-up to projects depending on `pyOpenSSL` (a list of them is easily determined from the package metadata on PyPI) of a rather major design change. This change was announced [in January on the pyOpenSSL mailing list](https://mail.python.org/pipermail/pyopenssl-users/2014-January/000484.html), [and then on the Twisted list](http://thread.gmane.org/gmane.comp.python.twisted/26687), [and then again on the Twisted list, specifically stressing how major the change would be](http://article.gmane.org/gmane.comp.python.twisted/26696/match=pyOpenSSL), not to mention the 4 other alpha pre-release announcements on those lists. I feel like this was reasonably broadly communicated. What more do you feel we should have done?
glyph commented 2014-04-03 05:17:14 +00:00
Owner
Copy link

Replying to daira:

In any case, I guess we have no choice but to add cffi as another binary dependency. (The pure Python dependencies aren't so much a problem.) Sigh.

While I understand that the task of adding cffi itself is yet more frustrating package churn, there are a number of reasons to be enthusiastic about it:

  1. Writing cffi modules is far easier, safer, etc, than writing any other kind of extension module. Unless you've used it, it's hard to explain just how much easier and safer it is, but one personal anecdote I can give you is that I once spent about 20 hours wrapping a fairly complex C library with cffi, including callbacks, reentrancy, and pointer math, and literally experienced zero segfaults in the process. One segfault I had near the end turned out to be a bug in the C library itself and not a problem with my extension.
  2. cffi modules are JIT-visible in PyPy and will therefore actually speed up applications on PyPy, unlike cpyext-built extensions, which generally have enough overhead that they slow things down.
  3. the cffi team provides packaging and building tools for extension modules to normalize the process of distributing binary dependencies, in a way which is challenging to do for arbitrary extension modules, and (in combination with the PyPA developers) is working on more. This has been somewhat rocky to get off the ground, but once the binary compatibility story for wheels has been worked out for OS X and Linux, this kind of uproar from users when a binary dependency is added should get much rarer, because they'll actually be able to install them from PyPI and have them actually work without a C compiler.
  4. Jython developers are working on a cffi runtime support system now as well, making it by far the most portable way to distribute an extension module; a number of "it only works on CPython because of a C dependency that doesn't work on any other VMs" projects will be able to migrate to other interesting environments.

Finally, there's a ctypes backend for cffi; I'm not sure how complete it is, but in principle it ought to allow for (slow) invocation of arbitrary cffi-based extensions with no C compiler installed. If Tahoe still has users having problems before The Great Packaging Singularity Where Everything Finally Starts Working, it might be worthwhile to figure out if this can be enabled for your users somehow if their C compiler isn't installed or doesn't work.

Replying to [daira](/tahoe-lafs/trac/issues/2193#issuecomment-396261): > In any case, I guess we have no choice but to add `cffi` as another binary dependency. (The pure Python dependencies aren't so much a problem.) Sigh. While I understand that the task of adding `cffi` itself is yet more frustrating package churn, there are a number of reasons to be enthusiastic about it: 1. Writing `cffi` modules is far easier, safer, etc, than writing any other kind of extension module. Unless you've used it, it's hard to explain just *how much* easier and safer it is, but one personal anecdote I can give you is that I once spent about 20 hours wrapping a fairly complex C library with cffi, including callbacks, reentrancy, and pointer math, and literally experienced *zero* segfaults in the process. One segfault I had near the end turned out to be a bug in the C library itself and not a problem with my extension. 2. `cffi` modules are JIT-visible in [PyPy](wiki/PyPy) and will therefore actually speed up applications on [PyPy](wiki/PyPy), unlike `cpyext`-built extensions, which generally have enough overhead that they slow things down. 3. the `cffi` team provides packaging and building tools for extension modules to normalize the process of distributing binary dependencies, in a way which is challenging to do for arbitrary extension modules, and (in combination with the PyPA developers) is working on more. This has been somewhat rocky to get off the ground, but once the binary compatibility story for wheels has been worked out for OS X and Linux, this kind of uproar from users when a binary dependency is added should get *much* rarer, because they'll actually be able to install them from PyPI and have them actually work without a C compiler. 4. Jython developers are working on a cffi runtime support system now as well, making it by far the most portable way to distribute an extension module; a number of "it only works on CPython because of a C dependency that doesn't work on any other VMs" projects will be able to migrate to other interesting environments. Finally, there's a `ctypes` backend for `cffi`; I'm not sure how complete it is, but in principle it ought to allow for (slow) invocation of arbitrary cffi-based extensions with no C compiler installed. If Tahoe still has users having problems before The Great Packaging Singularity Where Everything Finally Starts Working, it might be worthwhile to figure out if this can be enabled for your users somehow if their C compiler isn't installed or doesn't work.
dstufft commented 2014-04-03 05:45:30 +00:00
Owner
Copy link

For what it's worth, I'm both a cryptography developer (kind of, I'm probably the least active one of us) and a PyPA developer. I also have PyNaCl and bcrypt which also use the cffi backends. cffi has some pitfalls with packaging right now, however they are being worked on both on the cffi side with work to remove the implicit compile stuff, in the project themselves with work arounds, and in the packaging tools to better handle binary dependencies in general.

What tahoe-lafs decides to do with it's dependencies will affect y'all far more than it affects me, but I would suggest that pinning to an old release of pyOpenSSL will end up causing you more grief in the long run. I concur with that you should either get rid of it or adopt to the newer style of things.

I also think it'd probably be reasonable for cryptography.io to look to handle more of what tahoe needs from a crypto library too if you're all interested in that. We have very stringent requirements for what gets committed to our code base as far as code quality, test coverage, documentation etc goes and we have goals of being somewhat of a standard library of crypto :).

For what it's worth, I'm both a cryptography developer (kind of, I'm probably the least active one of us) and a PyPA developer. I also have [PyNaCl](wiki/PyNaCl) and bcrypt which also use the cffi backends. cffi has some pitfalls with packaging right now, however they are being worked on both on the cffi side with work to remove the implicit compile stuff, in the project themselves with work arounds, and in the packaging tools to better handle binary dependencies in general. What tahoe-lafs decides to do with it's dependencies will affect y'all far more than it affects me, but I would suggest that pinning to an old release of pyOpenSSL will end up causing you more grief in the long run. I concur with that you should either get rid of it or adopt to the newer style of things. I also think it'd probably be reasonable for cryptography.io to look to handle more of what tahoe needs from a crypto library too if you're all interested in that. We have very stringent requirements for what gets committed to our code base as far as code quality, test coverage, documentation etc goes and we have goals of being somewhat of a standard library of crypto :).
daira commented 2014-04-04 15:27:00 +00:00
Author
Copy link

OK, well, the immediate problem is that cryptography depends on cffi which depends (on Debian at least) on the libffi-dev package. Is there any way to build a cffi egg that (at run-time) doesn't depend on libffi-dev having been installed?

OK, well, the immediate problem is that `cryptography` depends on `cffi` which depends (on Debian at least) on the libffi-dev package. Is there any way to build a `cffi` egg that (at run-time) doesn't depend on libffi-dev having been installed?
dstufft commented 2014-04-04 16:12:58 +00:00
Owner
Copy link

Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean.

Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean.
daira commented 2014-04-04 16:45:48 +00:00
Author
Copy link

Replying to dstufft:

Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean.

Sorry, I didn't mean to make a distinction between libffi and libffi-dev here. I meant to ask, is there any way to build a cffi egg that at run-time doesn't depend on libffi having been manually installed?

Replying to [dstufft](/tahoe-lafs/trac/issues/2193#issuecomment-396266): > Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean. Sorry, I didn't mean to make a distinction between libffi and libffi-dev here. I meant to ask, is there any way to build a `cffi` egg that at run-time doesn't depend on libffi having been manually installed?
dstufft commented 2014-04-04 16:47:01 +00:00
Owner
Copy link

Probably if you link it statically instead of dynamically, but I'm not sure that the cffi setup.py supports that ATM.

Probably if you link it statically instead of dynamically, but I'm not sure that the cffi setup.py supports that ATM.
glyph commented 2014-04-04 18:49:02 +00:00
Owner
Copy link

Replying to dstufft:

Probably if you link it statically instead of dynamically, but I'm not sure that the cffi setup.py supports that ATM.

Tempting as it is to ask “but then how the heck does it work on Windows!?” I think maybe this issue on the CFFI tracker is the place to keep discussing this stuff, and make sure that the cffi developers are aware of tahoe's requirements.

Replying to [dstufft](/tahoe-lafs/trac/issues/2193#issuecomment-396268): > Probably if you link it statically instead of dynamically, but I'm not sure that the cffi setup.py supports that ATM. Tempting as it is to ask “but then how the heck does it work on Windows!?” I think maybe [this issue](https://bitbucket.org/cffi/cffi/issue/109/enable-sane-packaging-for-cffi) on the CFFI tracker is the place to keep discussing this stuff, and make sure that the cffi developers are aware of tahoe's requirements.
daira commented 2014-04-14 22:57:21 +00:00
Author
Copy link

Zooko and I agreed on the Dev Chat to temporarily work around this by fixing the pyOpenSSL dependency to == 0.13. We're aware that this can only be a short-term work-around, but cryptography simply has too many build problems at the moment (#2217 for example).

Zooko and I agreed on the Dev Chat to temporarily work around this by fixing the pyOpenSSL dependency to == 0.13. We're aware that this can only be a short-term work-around, but `cryptography` simply has too many build problems at the moment (#2217 for example).
daira modified the milestone from undecided to 1.11.0 2014-04-14 22:58:30 +00:00
daira self-assigned this 2014-04-14 22:58:30 +00:00
daira commented 2014-04-14 23:03:18 +00:00
Author
Copy link

The ticket for a longer-term solution to allowing pyOpenSSL >= 0.14 is #2221.

The ticket for a longer-term solution to allowing pyOpenSSL >= 0.14 is #2221.
daira added
p/major
 and removed
p/normal
 labels 2014-04-14 23:03:18 +00:00
daira commented 2014-04-14 23:46:13 +00:00
Author
Copy link

Re-reading the above comments, I think I may have given a false impression that I don't approve of the overall technical direction that the cryptography and pyOpenSSL developers are taking. That's not the case; I absolutely appreciate the need for FFIs between memory-safe and non-memory-safe languages to reduce the amount of glue code required, and to allow most of the remaining glue code to be on the memory-safe side. cffi seems to be on the right track here, and it's clear from comparing the code of pyOpenSSL 0.13 and 0.14 that it should be a great deal more maintainable and less error-prone. (I've long been a fan of Standard ML's NLFFI which takes a similar approach.) Also, the ability to use multiple backends from cryptography is useful and important.

Re-reading the above comments, I think I may have given a false impression that I don't approve of the overall technical direction that the `cryptography` and `pyOpenSSL` developers are taking. That's not the case; I absolutely appreciate the need for FFIs between memory-safe and non-memory-safe languages to reduce the amount of glue code required, and to allow most of the remaining glue code to be on the memory-safe side. `cffi` seems to be on the right track here, and it's clear from comparing the code of pyOpenSSL 0.13 and 0.14 that it should be a great deal more maintainable and less error-prone. (I've long been a fan of Standard ML's [NLFFI](http://people.cs.uchicago.edu/~blume/papers/nlffi.pdf) which takes a similar approach.) Also, the ability to use multiple backends from `cryptography` is useful and important.
gdt commented 2014-04-15 00:30:04 +00:00
Owner
Copy link

I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies? If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine.

I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies? If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine.
daira commented 2014-04-15 01:47:03 +00:00
Author
Copy link

Replying to gdt:

I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies?

That's a good question. The issue is that the Python package-distribution metadata conflates the question "what dependent package versions are acceptable to meet this package's requirement?", with the question "what dependent package versions should I attempt to fetch and build in order to meet this package's requirement (when not using an OS packaging system)?" That's a problem in situations where the fetch-and-build process is unreliable.

We could hack around this conflation by doing the following:

  • From Tahoe's setup.py, attempt "from OpenSSL import SSL".
  • If that succeeds and passes version sanity checks (including checks on the linked OpenSSL version for #2215), then use the requirement pyOpenSSL == $WHATEVER_VERSION_WAS_IMPORTED.
  • If that does not succeed or does not pass version sanity checks, then use the requirement pyOpenSSL == 0.13 (or == 0.13.1 if we decide to do the OpenSSL version check that way).

That would implement the following:

If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine.

However, attempting to import dependent packages from setup.py has caused problems in the past and I'm not entirely sure it's a good idea. If we do it, we should have some exit strategy to stop doing it in a future Tahoe-LAFS version.

Replying to [gdt](/tahoe-lafs/trac/issues/2193#issuecomment-396277): > I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies? That's a good question. The issue is that the Python package-distribution metadata conflates the question "what dependent package versions are acceptable to meet this package's requirement?", with the question "what dependent package versions should I attempt to fetch and build in order to meet this package's requirement (when not using an OS packaging system)?" That's a problem in situations where the fetch-and-build process is unreliable. We *could* hack around this conflation by doing the following: * From Tahoe's `setup.py`, attempt "`from OpenSSL import SSL`". * If that succeeds and passes version sanity checks (including checks on the linked OpenSSL version for #2215), then use the requirement `pyOpenSSL == $WHATEVER_VERSION_WAS_IMPORTED`. * If that does not succeed or does not pass version sanity checks, then use the requirement `pyOpenSSL == 0.13` (or `== 0.13.1` if we decide to do the OpenSSL version check that way). That would implement the following: > If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine. However, attempting to import dependent packages from `setup.py` has caused problems in the past and I'm not entirely sure it's a good idea. If we do it, we should have some exit strategy to stop doing it in a future Tahoe-LAFS version.
gdt commented 2014-04-15 12:54:53 +00:00
Owner
Copy link

That sounds reasonable.

Alternatively, there could be two setup.py versions, and a pre-build stage that symlinks one in. The standard one would be for packaging environments, and fail if any prereqs are not installed, never trying to download or build anything else. The developer one could do whatever you want.

I've said this before, but it's important to realize that for software that has widespread usage, almost all uses of it are via a packaging system. Developers live in a bubble where they build the programs they like to hack on directly from source. But I bet nearly all if not all of you are using even python from a packaging system, not a by-hand build.

That sounds reasonable. Alternatively, there could be two setup.py versions, and a pre-build stage that symlinks one in. The standard one would be for packaging environments, and fail if any prereqs are not installed, never trying to download or build anything else. The developer one could do whatever you want. I've said this before, but it's important to realize that for software that has widespread usage, almost all uses of it are via a packaging system. Developers live in a bubble where they build the programs they like to hack on directly from source. But I bet nearly all if not all of you are using even python from a packaging system, not a by-hand build.
daira commented 2014-04-15 16:17:18 +00:00
Author
Copy link

Replying to [daira]comment:28:

However, attempting to import dependent packages from setup.py has caused problems in the past and I'm not entirely sure it's a good idea.

One important problem is that if the setup.py process imports OpenSSL but it turns out to be broken or vulnerable, then there is no way to "unimport" it (well, not reliably), and this may cause problems later in the build. It would be possible to shell out to a check_pyopenssl.py script in a separate process, but that's getting rather complicated.

gdt: would it be sufficient for you to just patch the pyOpenSSL == 0.13 requirement in src/allmydata/_auto_deps.py in your pkgsrc packaging of Tahoe-LAFS 0.11?

Replying to [daira]comment:28: > However, attempting to import dependent packages from `setup.py` has caused problems in the past and I'm not entirely sure it's a good idea. One important problem is that if the `setup.py` process imports `OpenSSL` but it turns out to be broken or vulnerable, then there is no way to "unimport" it (well, not reliably), and this may cause problems later in the build. It would be possible to shell out to a `check_pyopenssl.py` script in a separate process, but that's getting rather complicated. gdt: would it be sufficient for you to just patch the `pyOpenSSL == 0.13` requirement in `src/allmydata/_auto_deps.py` in your pkgsrc packaging of Tahoe-LAFS 0.11?
gdt commented 2014-04-15 16:23:23 +00:00
Owner
Copy link

Yes, probably it would suffice to patch the control file.

Yes, probably it would suffice to patch the control file.
daira commented 2014-04-21 15:44:31 +00:00
Author
Copy link

Replying to dstufft:

Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean.

The Debian package name seems to be libffi6, not libffi. That's annoying because it'll probably change in future.

Replying to [dstufft](/tahoe-lafs/trac/issues/2193#issuecomment-396266): > Any binary package of cffi (Wheel or Egg) should only require libffi installed not libffi-dev if that's what you mean. The Debian package name seems to be libffi6, not libffi. That's annoying because it'll probably change in future.
zooko commented 2014-05-12 21:23:39 +00:00
Copy link
diff --git a/src/allmydata/_auto_deps.py b/src/allmydata/_auto_deps.py
index b7be321..2b82cf5 100644
--- a/src/allmydata/_auto_deps.py
+++ b/src/allmydata/_auto_deps.py
@@ -46,9 +46,13 @@ install_requires = [
     #   pyOpenSSL, such as foolscap requiring a specific version of
     #   pyOpenSSL, or foolscap switching from pyOpenSSL to a different crypto
     #   library, we need to update this declaration here.
+    # * pyOpenSSL 0.14 and newer depends on a new library named 
+    #   cryptography.io, which uses cffi to build. This causes problems for 
+    #   our deployments currently (see ticket #2193), so for now we require 
+    #   pyOpenSSL <= 0.13.
     #
     "foolscap >= 0.6.3",
-    "pyOpenSSL",
+    "pyOpenSSL <= 0.13",
 
     "Nevow >= 0.6.0",
``` diff --git a/src/allmydata/_auto_deps.py b/src/allmydata/_auto_deps.py index b7be321..2b82cf5 100644 --- a/src/allmydata/_auto_deps.py +++ b/src/allmydata/_auto_deps.py @@ -46,9 +46,13 @@ install_requires = [ # pyOpenSSL, such as foolscap requiring a specific version of # pyOpenSSL, or foolscap switching from pyOpenSSL to a different crypto # library, we need to update this declaration here. + # * pyOpenSSL 0.14 and newer depends on a new library named + # cryptography.io, which uses cffi to build. This causes problems for + # our deployments currently (see ticket #2193), so for now we require + # pyOpenSSL <= 0.13. # "foolscap >= 0.6.3", - "pyOpenSSL", + "pyOpenSSL <= 0.13", "Nevow >= 0.6.0", ```
zooko commented 2014-05-12 22:51:34 +00:00
Copy link

Replying to [daira]comment:28:

Replying to gdt:

I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies?

That's a good question. The issue is that the Python package-distribution metadata conflates the question "what dependent package versions are acceptable to meet this package's requirement?", with the question "what dependent package versions should I attempt to fetch and build in order to meet this package's requirement (when not using an OS packaging system)?" That's a problem in situations where the fetch-and-build process is unreliable.

We could hack around this conflation by doing the following:

  • From Tahoe's setup.py, attempt "from OpenSSL import SSL".
  • If that succeeds and passes version sanity checks (including checks on the linked OpenSSL version for #2215), then use the requirement pyOpenSSL == $WHATEVER_VERSION_WAS_IMPORTED.
  • If that does not succeed or does not pass version sanity checks, then use the requirement pyOpenSSL == 0.13 (or == 0.13.1 if we decide to do the OpenSSL version check that way).

That would implement the following:

If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine.

However, attempting to import dependent packages from setup.py has caused problems in the past and I'm not entirely sure it's a good idea. If we do it, we should have some exit strategy to stop doing it in a future Tahoe-LAFS version.

I don't think we should add all this logic into the Tahoe-LAFS build system. I agree that there is a problem here, but I don't think we should try to address that problem by adding code into the Tahoe-LAFS build system. The problem, as I understand it, is that there are two different audiences listening to Tahoe-LAFS's announcements about what version of pyOpenSSL it depends on. One audience is packaging engineers like gdt, and the other is the automatic build mechanisms such as pip.

There is no single statement we can make that will give the right idea to both of these audiences. So I propose that we let the machine-parseable declaration in [src/allmydata/_auto_deps.py]source:trunk/src/allmydata/_auto_deps.py?annotate=blame&rev=7bb07fb5e28756fa13ba5190e6c39003c84d3e1e be optimized for the automatic build mechanisms like pip, and we use an attendant comment to communicate to the human engineer like gdt. So I propose a solution along these lines:

diff --git a/src/allmydata/_auto_deps.py b/src/allmydata/_auto_deps.py
index b7be321..93a9994 100644
--- a/src/allmydata/_auto_deps.py
+++ b/src/allmydata/_auto_deps.py
@@ -38,6 +38,9 @@ install_requires = [
     # * foolscap < 0.6.3 is incompatible with Twisted-11.1.0 and newer. Since
     #   current Twisted is 12.0, any build which needs twisted will grab a
     #   version that requires foolscap>=0.6.3
+    #
+    "foolscap >= 0.6.3",
+
     # * pyOpenSSL is required by foolscap for it (foolscap) to provide secure
     #   connections. Foolscap doesn't reliably declare this dependency in a
     #   machine-readable way, so we need to declare a dependency on pyOpenSSL
@@ -47,8 +50,21 @@ install_requires = [
     #   pyOpenSSL, or foolscap switching from pyOpenSSL to a different crypto
     #   library, we need to update this declaration here.
     #
-    "foolscap >= 0.6.3",
-    "pyOpenSSL",
+    # * pyOpenSSL >= 0.14 uses a new implementation which depends on the new
+    #   "cryptography.io" library, which depends on cffi and other *
+    #   things. Our automated build system (as run by typical users on their
+    #   * typical systems, which may not have a compiler or Python header
+    #   files * installed), can't handle those new dependencies, so for now
+    #   we're pinning this dependency to pyOpenSSL == 0.13.
+    #
+    #   Note that if you are a build engineer who already has pyOpenSSL >=
+    #   v0.14 working and wants to use Tahoe-LAFS with pyOpenSSL >= v0.14, go
+    #   right ahead! You'll have to edit or comment-out this pinning
+    #   declaration here. This declaration is not for your benefit, but for
+    #   the benefit of the automatic build system (i.e. pip or easy_install)
+    #   as used by our non-expert users.
+    # 
+    "pyOpenSSL == 0.13",
 
     "Nevow >= 0.6.0",
Replying to [daira]comment:28: > Replying to [gdt](/tahoe-lafs/trac/issues/2193#issuecomment-396277): > > I'm not entirely following the pinning argument. tahoe is building ok in pkgsrc with 0.14. So if you require 0.13, the package will fail and no longer be available, and I'll just mark it BROKEN. What's wrong with a situation where pyOpenSSL 0.14 is properly installed, with all its dependencies? > > That's a good question. The issue is that the Python package-distribution metadata conflates the question "what dependent package versions are acceptable to meet this package's requirement?", with the question "what dependent package versions should I attempt to fetch and build in order to meet this package's requirement (when not using an OS packaging system)?" That's a problem in situations where the fetch-and-build process is unreliable. > > We *could* hack around this conflation by doing the following: > * From Tahoe's `setup.py`, attempt "`from OpenSSL import SSL`". > * If that succeeds and passes version sanity checks (including checks on the linked OpenSSL version for #2215), then use the requirement `pyOpenSSL == $WHATEVER_VERSION_WAS_IMPORTED`. > * If that does not succeed or does not pass version sanity checks, then use the requirement `pyOpenSSL == 0.13` (or `== 0.13.1` if we decide to do the OpenSSL version check that way). > > That would implement the following: > > > If the new code handles that gracefully, there's no issue - if all you're talking about is forcing a choice of 0.13 when the build of pyOpenSSL is triggered from within tahoe-lafs that sounds fine. > > However, attempting to import dependent packages from `setup.py` has caused problems in the past and I'm not entirely sure it's a good idea. If we do it, we should have some exit strategy to stop doing it in a future Tahoe-LAFS version. I don't think we should add all this logic into the Tahoe-LAFS build system. I agree that there is a problem here, but I don't think we should try to address that problem by adding code into the Tahoe-LAFS build system. The problem, as I understand it, is that there are two different audiences listening to Tahoe-LAFS's announcements about what version of `pyOpenSSL` it depends on. One audience is packaging engineers like gdt, and the other is the automatic build mechanisms such as `pip`. There is no single statement we can make that will give the right idea to both of these audiences. So I propose that we let the machine-parseable declaration in [src/allmydata/_auto_deps.py]source:trunk/src/allmydata/_auto_deps.py?annotate=blame&rev=7bb07fb5e28756fa13ba5190e6c39003c84d3e1e be optimized for the automatic build mechanisms like `pip`, and we use an attendant comment to communicate to the human engineer like gdt. So I propose a solution along these lines: ``` diff --git a/src/allmydata/_auto_deps.py b/src/allmydata/_auto_deps.py index b7be321..93a9994 100644 --- a/src/allmydata/_auto_deps.py +++ b/src/allmydata/_auto_deps.py @@ -38,6 +38,9 @@ install_requires = [ # * foolscap < 0.6.3 is incompatible with Twisted-11.1.0 and newer. Since # current Twisted is 12.0, any build which needs twisted will grab a # version that requires foolscap>=0.6.3 + # + "foolscap >= 0.6.3", + # * pyOpenSSL is required by foolscap for it (foolscap) to provide secure # connections. Foolscap doesn't reliably declare this dependency in a # machine-readable way, so we need to declare a dependency on pyOpenSSL @@ -47,8 +50,21 @@ install_requires = [ # pyOpenSSL, or foolscap switching from pyOpenSSL to a different crypto # library, we need to update this declaration here. # - "foolscap >= 0.6.3", - "pyOpenSSL", + # * pyOpenSSL >= 0.14 uses a new implementation which depends on the new + # "cryptography.io" library, which depends on cffi and other * + # things. Our automated build system (as run by typical users on their + # * typical systems, which may not have a compiler or Python header + # files * installed), can't handle those new dependencies, so for now + # we're pinning this dependency to pyOpenSSL == 0.13. + # + # Note that if you are a build engineer who already has pyOpenSSL >= + # v0.14 working and wants to use Tahoe-LAFS with pyOpenSSL >= v0.14, go + # right ahead! You'll have to edit or comment-out this pinning + # declaration here. This declaration is not for your benefit, but for + # the benefit of the automatic build system (i.e. pip or easy_install) + # as used by our non-expert users. + # + "pyOpenSSL == 0.13", "Nevow >= 0.6.0", ```
zooko commented 2014-05-12 23:05:55 +00:00
Copy link

Relatedly, I find it pretty annoying that Tahoe-LAFS needs to mention pyOpenSSL at all in its packaging metadata. pyOpenSSL is not a direct dependency of Tahoe-LAFS, it is a dependency of Foolscap. So, I feel like it ought to be Foolscap's responsibility to deal with all this crap. Hopefully in the future Foolscap will stop depending on pyOpenSSL at all (perhaps because Foolscap has switched to nacl/libsodium), and at that point there should not need to be any change made to Tahoe-LAFS, because Tahoe-LAFS should just continue to say "I depend on Foolscap.".

Related tickets on the foolscap trac:

Relatedly, I find it pretty annoying that Tahoe-LAFS needs to mention `pyOpenSSL` at *all* in its packaging metadata. `pyOpenSSL` is not a direct dependency of Tahoe-LAFS, it is a dependency of Foolscap. So, I feel like it ought to be Foolscap's responsibility to deal with all this crap. Hopefully in the future Foolscap will *stop* depending on `pyOpenSSL` at all (perhaps because Foolscap has switched to [nacl](http://nacl.cr.yp.to/)/[libsodium](https://github.com/jedisct1/libsodium)), and at that point there should not need to be any change made to Tahoe-LAFS, because Tahoe-LAFS should just continue to say "I depend on Foolscap.". Related tickets on the foolscap trac: * [Foolscap ticket #215](http://foolscap.lothar.com/trac/ticket/215) (change "install_requires" in setup.py to reflect requirement of 2.5.0 of Twisted) * [Foolscap ticket #67](http://foolscap.lothar.com/trac/ticket/67) (remove UnauthenticatedTub) * [Foolscap ticket #174](http://foolscap.lothar.com/trac/ticket/174) [fixed]closed: (foolscap 0.6.1 has no such extra feature 'secure_connections') * [Foolscap ticket #66](http://foolscap.lothar.com/trac/ticket/66) [fixed]closed: (install requires pyOpenSSL (for secure mode)) * [Foolscap ticket #162](http://foolscap.lothar.com/trac/ticket/162) [invalid]closed: (No dependency declared on [PyOpen](wiki/PyOpen)SSL)
zooko commented 2014-05-14 18:50:31 +00:00
Copy link

Here's another thing that Foolscap might switch to instead of SSL: https://github.com/trevp/noise/wiki

Here's another thing that Foolscap might switch to instead of SSL: <https://github.com/trevp/noise/wiki>
daira commented 2014-08-30 00:09:03 +00:00
Author
Copy link

The combination of this problem, #2028, and #2249, are making it almost impossible to install or build on Windows :-(

The combination of this problem, #2028, and #2249, are making it almost impossible to install or build on Windows :-(
daira commented 2014-08-30 00:12:39 +00:00
Author
Copy link

(This problem isn't Windows-specific but it particularly affects Windows systems because most do not have a working compiler.)

(This problem isn't Windows-specific but it particularly affects Windows systems because most do not have a working compiler.)
Daira Hopwood <daira@jacaranda.org> commented 2014-10-08 11:45:57 +00:00
Owner
Copy link

In /tahoe-lafs/trac/commit/b0b76a7c5b89c3fed5a65ef6732dc45e578f12f4:

Improve comments in _auto_deps.py. refs #2249, #2028, #2193, #2005, #1258

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
In [/tahoe-lafs/trac/commit/b0b76a7c5b89c3fed5a65ef6732dc45e578f12f4](/tahoe-lafs/trac/commit/b0b76a7c5b89c3fed5a65ef6732dc45e578f12f4): ``` Improve comments in _auto_deps.py. refs #2249, #2028, #2193, #2005, #1258 Signed-off-by: Daira Hopwood <daira@jacaranda.org> ```
daira commented 2014-10-08 11:49:43 +00:00
Author
Copy link

Fixed by [18ffc29f4949b6098b8b89e6e89c89923121cda2/trunk].

Fixed by [18ffc29f4949b6098b8b89e6e89c89923121cda2/trunk].
daira added the
r/fixed
 label 2014-10-08 11:49:51 +00:00
daira closed this issue 2014-10-08 11:49:51 +00:00
daira commented 2015-05-01 19:30:23 +00:00
Author
Copy link

https://caremad.io/2014/11/distributing-a-cffi-project/ explains what is wrong with cffi from a packaging point of view.

<https://caremad.io/2014/11/distributing-a-cffi-project/> explains what is wrong with cffi from a packaging point of view.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
No results found.
No results found.
Labels
Clear labels   
c/code

catch-all for anything that can be fixed by writing code but isn't classified better

  
c/code-dirnodes

anything involving tahoe directories

  
c/code-encoding

immutable-file encoding format/layout, cap format, encoding/decoding algorithms

  
c/code-frontend

general frontend things: new user-facing interfaces, FTP/SFTP servers, FUSE-like interfaces

  
c/code-frontend-cli

CLI tools

  
c/code-frontend-ftp-sftp

   
c/code-frontend-magic-folder

   
c/code-frontend-web

webapi interfaces, user-facing "WUI" interfaces

  
c/code-mutable

anything involving mutable files: encoding/decoding, share format

  
c/code-network

Introducer, locating storage servers, establishing/maintaining connections to them

  
c/code-nodeadmin

node startup/shutdown, tools to create nodes, logging tools, management/monitoring tools, manhole, disk-space-limiting tools

  
c/code-peerselection

server selection/sorting algorithm, rebalancing code, allocation policy, swarming-download

  
c/code-storage

storage-server implementation, share-storage directory layout, client-to-server share transfer protocol

  
c/contrib

problems with non-core things that live in the source:contrib/ directory

  
c/dev-infrastructure

things that help us build Tahoe: buildbot, automated speed/memory/code-coverage tests and results-displayers, IRC channels, mailing lists, this Trac instance

  
c/docs

docs items. Also use 'docs' keyword on tickets in more specific components.

  
c/operational

things involved in running a tahoe grid, external tools to monitor/maintain a grid (like "nodeadmin" but larger-scale). Was also used for issues with the allmydata.com grid.

  
c/packaging

setup.py script, library dependencies, binary packages, licensing, installation instructions

  
c/unknown

Uncategorized. All tickets default to this component until someone updates it.

  
c/website

things about the tahoe-lafs.org website (and sometimes this Trac instance, shared with 'dev-infrastructure')

  
kw:2pc

   
kw:410

   
kw:9p

   
kw:ActivePerl

   
kw:AttributeError

   
kw:DataUnavailable

   
kw:DeadReferenceError

   
kw:DoS

   
kw:FileZilla

   
kw:GetLastError

   
kw:IFinishableConsumer

   
kw:K

   
kw:LeastAuthority

   
kw:Makefile

   
kw:RIStorageServer

   
kw:StringIO

   
kw:UncoordinatedWriteError

   
kw:about

   
kw:access

   
kw:access-control

   
kw:accessibility

   
kw:accounting

   
kw:accounting-crawler

   
kw:add-only

   
kw:aes

   
kw:aesthetics

   
kw:alias

   
kw:aliases

   
kw:aliens

   
kw:allmydata

   
kw:amazon

   
kw:ambient

   
kw:annotations

   
kw:anonymity

   
kw:anonymous

   
kw:anti-censorship

   
kw:api_auth_token

   
kw:appearance

   
kw:appname

   
kw:apport

   
kw:archive

   
kw:archlinux

   
kw:argparse

   
kw:arm

   
kw:assertion

   
kw:attachment

   
kw:auth

   
kw:authentication

   
kw:automation

   
kw:avahi

   
kw:availability

   
kw:aws

   
kw:azure

   
kw:backend

   
kw:backoff

   
kw:backup

   
kw:backupdb

   
kw:backward-compatibility

   
kw:bandwidth

   
kw:basedir

   
kw:bayes

   
kw:bbfreeze

   
kw:beta

   
kw:binaries

   
kw:binutils

   
kw:bitcoin

   
kw:bitrot

   
kw:blacklist

   
kw:blocker

   
kw:blocks-cloud-deployment

   
kw:blocks-cloud-merge

   
kw:blocks-magic-folder-merge

   
kw:blocks-merge

   
kw:blocks-raic

   
kw:blocks-release

   
kw:blog

   
kw:bom

   
kw:bonjour

   
kw:branch

   
kw:branding

   
kw:breadcrumbs

   
kw:brians-opinion-needed

   
kw:browser

   
kw:bsd

   
kw:build

   
kw:build-helpers

   
kw:buildbot

   
kw:builders

   
kw:buildslave

   
kw:buildslaves

   
kw:cache

   
kw:cap

   
kw:capleak

   
kw:captcha

   
kw:cast

   
kw:centos

   
kw:cffi

   
kw:chacha

   
kw:charset

   
kw:check

   
kw:checker

   
kw:chroot

   
kw:ci

   
kw:clean

   
kw:cleanup

   
kw:cli

   
kw:cloud

   
kw:cloud-backend

   
kw:cmdline

   
kw:code

   
kw:code-checks

   
kw:coding-standards

   
kw:coding-tools

   
kw:coding_tools

   
kw:collection

   
kw:compatibility

   
kw:completion

   
kw:compression

   
kw:confidentiality

   
kw:config

   
kw:configuration

   
kw:configuration.txt

   
kw:conflict

   
kw:connection

   
kw:connectivity

   
kw:consistency

   
kw:content

   
kw:control

   
kw:control.furl

   
kw:convergence

   
kw:coordination

   
kw:copyright

   
kw:corruption

   
kw:cors

   
kw:cost

   
kw:coverage

   
kw:coveralls

   
kw:coveralls.io

   
kw:cpu-watcher

   
kw:cpyext

   
kw:crash

   
kw:crawler

   
kw:crawlers

   
kw:create-container

   
kw:cruft

   
kw:crypto

   
kw:cryptography

   
kw:cryptography-lib

   
kw:cryptopp

   
kw:csp

   
kw:curl

   
kw:cutoff-date

   
kw:cycle

   
kw:cygwin

   
kw:d3

   
kw:daemon

   
kw:darcs

   
kw:darcsver

   
kw:database

   
kw:dataloss

   
kw:db

   
kw:dead-code

   
kw:deb

   
kw:debian

   
kw:debug

   
kw:deep-check

   
kw:defaults

   
kw:deferred

   
kw:delete

   
kw:deletion

   
kw:denial-of-service

   
kw:dependency

   
kw:deployment

   
kw:deprecation

   
kw:desert-island

   
kw:desert-island-build

   
kw:design

   
kw:design-review-needed

   
kw:detection

   
kw:dev-infrastructure

   
kw:devpay

   
kw:directory

   
kw:directory-page

   
kw:dirnode

   
kw:dirnodes

   
kw:disconnect

   
kw:discovery

   
kw:disk

   
kw:disk-backend

   
kw:distribute

   
kw:distutils

   
kw:dns

   
kw:do_http

   
kw:doc-needed

   
kw:docker

   
kw:docs

   
kw:docs-needed

   
kw:dokan

   
kw:dos

   
kw:download

   
kw:downloader

   
kw:dragonfly

   
kw:drop-upload

   
kw:duplicity

   
kw:dusty

   
kw:earth-dragon

   
kw:easy

   
kw:ec2

   
kw:ecdsa

   
kw:ed25519

   
kw:egg-needed

   
kw:eggs

   
kw:eliot

   
kw:email

   
kw:empty

   
kw:encoding

   
kw:endpoint

   
kw:enterprise

   
kw:enum34

   
kw:environment

   
kw:erasure

   
kw:erasure-coding

   
kw:error

   
kw:escaping

   
kw:etag

   
kw:etch

   
kw:evangelism

   
kw:eventual

   
kw:example

   
kw:excess-authority

   
kw:exec

   
kw:exocet

   
kw:expiration

   
kw:extensibility

   
kw:extension

   
kw:failure

   
kw:fedora

   
kw:ffp

   
kw:fhs

   
kw:figleaf

   
kw:file

   
kw:file-descriptor

   
kw:filename

   
kw:filesystem

   
kw:fileutil

   
kw:fips

   
kw:firewall

   
kw:first

   
kw:floatingpoint

   
kw:flog

   
kw:foolscap

   
kw:forward-compatibility

   
kw:forward-secrecy

   
kw:forwarding

   
kw:free

   
kw:freebsd

   
kw:frontend

   
kw:fsevents

   
kw:ftp

   
kw:ftpd

   
kw:full

   
kw:furl

   
kw:fuse

   
kw:garbage

   
kw:garbage-collection

   
kw:gateway

   
kw:gatherer

   
kw:gc

   
kw:gcc

   
kw:gentoo

   
kw:get

   
kw:git

   
kw:git-annex

   
kw:github

   
kw:glacier

   
kw:globalcaps

   
kw:glossary

   
kw:google-cloud-storage

   
kw:google-drive-backend

   
kw:gossip

   
kw:governance

   
kw:grid

   
kw:grid-manager

   
kw:gridid

   
kw:gridsync

   
kw:grsec

   
kw:gsoc

   
kw:gvfs

   
kw:hackfest

   
kw:hacktahoe

   
kw:hang

   
kw:hardlink

   
kw:heartbleed

   
kw:heisenbug

   
kw:help

   
kw:helper

   
kw:hint

   
kw:hooks

   
kw:how

   
kw:how-to

   
kw:howto

   
kw:hp

   
kw:hp-cloud

   
kw:html

   
kw:http

   
kw:https

   
kw:i18n

   
kw:i2p

   
kw:i2p-collab

   
kw:illustration

   
kw:image

   
kw:immutable

   
kw:impressions

   
kw:incentives

   
kw:incident

   
kw:init

   
kw:inlineCallbacks

   
kw:inotify

   
kw:install

   
kw:installer

   
kw:integration

   
kw:integration-test

   
kw:integrity

   
kw:interactive

   
kw:interface

   
kw:interfaces

   
kw:interoperability

   
kw:interstellar-exploration

   
kw:introducer

   
kw:introduction

   
kw:iphone

   
kw:ipkg

   
kw:iputil

   
kw:ipv6

   
kw:irc

   
kw:jail

   
kw:javascript

   
kw:joke

   
kw:jquery

   
kw:json

   
kw:jsui

   
kw:junk

   
kw:key-value-store

   
kw:kfreebsd

   
kw:known-issue

   
kw:konqueror

   
kw:kpreid

   
kw:kvm

   
kw:l10n

   
kw:lae

   
kw:large

   
kw:latency

   
kw:leak

   
kw:leasedb

   
kw:leases

   
kw:libgmp

   
kw:license

   
kw:licenss

   
kw:linecount

   
kw:link

   
kw:linux

   
kw:lit

   
kw:localhost

   
kw:location

   
kw:locking

   
kw:logging

   
kw:logo

   
kw:loopback

   
kw:lucid

   
kw:mac

   
kw:macintosh

   
kw:magic-folder

   
kw:manhole

   
kw:manifest

   
kw:manual-test-needed

   
kw:map

   
kw:mapupdate

   
kw:max_space

   
kw:mdmf

   
kw:memcheck

   
kw:memory

   
kw:memory-leak

   
kw:mesh

   
kw:metadata

   
kw:meter

   
kw:migration

   
kw:mime

   
kw:mingw

   
kw:minimal

   
kw:misc

   
kw:miscapture

   
kw:mlp

   
kw:mock

   
kw:more-info-needed

   
kw:mountain-lion

   
kw:move

   
kw:multi-users

   
kw:multiple

   
kw:multiuser-gateway

   
kw:munin

   
kw:music

   
kw:mutability

   
kw:mutable

   
kw:mystery

   
kw:names

   
kw:naming

   
kw:nas

   
kw:navigation

   
kw:needs-review

   
kw:needs-spawn

   
kw:netbsd

   
kw:network

   
kw:nevow

   
kw:new-user

   
kw:newcaps

   
kw:news

   
kw:news-done

   
kw:news-needed

   
kw:newsletter

   
kw:newurls

   
kw:nfc

   
kw:nginx

   
kw:nixos

   
kw:no-clobber

   
kw:node

   
kw:node-url

   
kw:notification

   
kw:notifyOnDisconnect

   
kw:nsa310

   
kw:nsa320

   
kw:nsa325

   
kw:numpy

   
kw:objects

   
kw:old

   
kw:openbsd

   
kw:openitp-packaging

   
kw:openssl

   
kw:openstack

   
kw:opensuse

   
kw:operation-helpers

   
kw:operational

   
kw:operations

   
kw:ophandle

   
kw:ophandles

   
kw:ops

   
kw:optimization

   
kw:optional

   
kw:options

   
kw:organization

   
kw:os

   
kw:os.abort

   
kw:ostrom

   
kw:osx

   
kw:osxfuse

   
kw:otf-magic-folder-objective1

   
kw:otf-magic-folder-objective2

   
kw:otf-magic-folder-objective3

   
kw:otf-magic-folder-objective4

   
kw:otf-magic-folder-objective5

   
kw:otf-magic-folder-objective6

   
kw:p2p

   
kw:packaging

   
kw:partial

   
kw:password

   
kw:path

   
kw:paths

   
kw:pause

   
kw:peer-selection

   
kw:performance

   
kw:permalink

   
kw:permissions

   
kw:persistence

   
kw:phone

   
kw:pickle

   
kw:pip

   
kw:pipermail

   
kw:pkg_resources

   
kw:placement

   
kw:planning

   
kw:policy

   
kw:port

   
kw:portability

   
kw:portal

   
kw:posthook

   
kw:pratchett

   
kw:preformance

   
kw:preservation

   
kw:privacy

   
kw:process

   
kw:profile

   
kw:profiling

   
kw:progress

   
kw:proxy

   
kw:publish

   
kw:pyOpenSSL

   
kw:pyasn1

   
kw:pycparser

   
kw:pycrypto

   
kw:pycrypto-lib

   
kw:pycryptopp

   
kw:pyfilesystem

   
kw:pyflakes

   
kw:pylint

   
kw:pypi

   
kw:pypy

   
kw:pysqlite

   
kw:python

   
kw:python3

   
kw:pythonpath

   
kw:pyutil

   
kw:pywin32

   
kw:quickstart

   
kw:quiet

   
kw:quotas

   
kw:quoting

   
kw:raic

   
kw:rainhill

   
kw:random

   
kw:random-access

   
kw:range

   
kw:raspberry-pi

   
kw:reactor

   
kw:readonly

   
kw:rebalancing

   
kw:recovery

   
kw:recursive

   
kw:redhat

   
kw:redirect

   
kw:redressing

   
kw:refactor

   
kw:referer

   
kw:referrer

   
kw:regression

   
kw:rekey

   
kw:relay

   
kw:release

   
kw:release-blocker

   
kw:reliability

   
kw:relnotes

   
kw:remote

   
kw:removable

   
kw:removable-disk

   
kw:rename

   
kw:renew

   
kw:repair

   
kw:replace

   
kw:report

   
kw:repository

   
kw:research

   
kw:reserved_space

   
kw:response-needed

   
kw:response-time

   
kw:restore

   
kw:retrieve

   
kw:retry

   
kw:review

   
kw:review-needed

   
kw:reviewed

   
kw:revocation

   
kw:roadmap

   
kw:rollback

   
kw:rpm

   
kw:rsa

   
kw:rss

   
kw:rst

   
kw:rsync

   
kw:rusty

   
kw:s3

   
kw:s3-backend

   
kw:s3-frontend

   
kw:s4

   
kw:same-origin

   
kw:sandbox

   
kw:scalability

   
kw:scaling

   
kw:scheduling

   
kw:schema

   
kw:scheme

   
kw:scp

   
kw:scripts

   
kw:sdist

   
kw:sdmf

   
kw:security

   
kw:self-contained

   
kw:server

   
kw:servermap

   
kw:servers-of-happiness

   
kw:service

   
kw:setup

   
kw:setup.py

   
kw:setup_requires

   
kw:setuptools

   
kw:setuptools_darcs

   
kw:sftp

   
kw:shared

   
kw:shareset

   
kw:shell

   
kw:signals

   
kw:simultaneous

   
kw:six

   
kw:size

   
kw:slackware

   
kw:slashes

   
kw:smb

   
kw:sneakernet

   
kw:snowleopard

   
kw:socket

   
kw:solaris

   
kw:space

   
kw:space-efficiency

   
kw:spam

   
kw:spec

   
kw:speed

   
kw:sqlite

   
kw:ssh

   
kw:ssh-keygen

   
kw:sshfs

   
kw:ssl

   
kw:stability

   
kw:standards

   
kw:start

   
kw:startup

   
kw:static

   
kw:static-analysis

   
kw:statistics

   
kw:stats

   
kw:stats_gatherer

   
kw:status

   
kw:stdeb

   
kw:storage

   
kw:streaming

   
kw:strports

   
kw:style

   
kw:stylesheet

   
kw:subprocess

   
kw:sumo

   
kw:survey

   
kw:svg

   
kw:symlink

   
kw:synchronous

   
kw:tac

   
kw:tahoe-*

   
kw:tahoe-add-alias

   
kw:tahoe-admin

   
kw:tahoe-archive

   
kw:tahoe-backup

   
kw:tahoe-check

   
kw:tahoe-cp

   
kw:tahoe-create-alias

   
kw:tahoe-create-introducer

   
kw:tahoe-debug

   
kw:tahoe-deep-check

   
kw:tahoe-deepcheck

   
kw:tahoe-lafs-trac-stream

   
kw:tahoe-list-aliases

   
kw:tahoe-ls

   
kw:tahoe-magic-folder

   
kw:tahoe-manifest

   
kw:tahoe-mkdir

   
kw:tahoe-mount

   
kw:tahoe-mv

   
kw:tahoe-put

   
kw:tahoe-restart

   
kw:tahoe-rm

   
kw:tahoe-run

   
kw:tahoe-start

   
kw:tahoe-stats

   
kw:tahoe-unlink

   
kw:tahoe-webopen

   
kw:tahoe.css

   
kw:tahoe_files

   
kw:tahoewapi

   
kw:tarball

   
kw:tarballs

   
kw:tempfile

   
kw:templates

   
kw:terminology

   
kw:test

   
kw:test-and-set

   
kw:test-from-egg

   
kw:test-needed

   
kw:testgrid

   
kw:testing

   
kw:tests

   
kw:throttling

   
kw:ticket999-s3-backend

   
kw:tiddly

   
kw:time

   
kw:timeout

   
kw:timing

   
kw:to

   
kw:to-be-closed-on-2011-08-01

   
kw:tor

   
kw:tor-protocol

   
kw:torsocks

   
kw:tox

   
kw:trac

   
kw:transparency

   
kw:travis

   
kw:travis-ci

   
kw:trial

   
kw:trickle

   
kw:trivial

   
kw:truckee

   
kw:tub

   
kw:tub.location

   
kw:twine

   
kw:twistd

   
kw:twistd.log

   
kw:twisted

   
kw:twisted-14

   
kw:twisted-trial

   
kw:twitter

   
kw:twn

   
kw:txaws

   
kw:type

   
kw:typeerror

   
kw:ubuntu

   
kw:ucwe

   
kw:ueb

   
kw:ui

   
kw:unclean

   
kw:uncoordinated-writes

   
kw:undeletable

   
kw:unfinished-business

   
kw:unhandled-error

   
kw:unhappy

   
kw:unicode

   
kw:unit

   
kw:unix

   
kw:unlink

   
kw:update

   
kw:upgrade

   
kw:upload

   
kw:upload-helper

   
kw:uri

   
kw:url

   
kw:usability

   
kw:use-case

   
kw:utf-8

   
kw:util

   
kw:uwsgi

   
kw:ux

   
kw:validation

   
kw:variables

   
kw:vdrive

   
kw:verify

   
kw:verlib

   
kw:version

   
kw:versioning

   
kw:versions

   
kw:video

   
kw:virtualbox

   
kw:virtualenv

   
kw:vista

   
kw:visualization

   
kw:visualizer

   
kw:vm

   
kw:volunteergrid2

   
kw:volunteers

   
kw:vpn

   
kw:wapi

   
kw:warners-opinion-needed

   
kw:warning

   
kw:weapi

   
kw:web

   
kw:web.port

   
kw:webapi

   
kw:webdav

   
kw:webdrive

   
kw:webport

   
kw:websec

   
kw:website

   
kw:websocket

   
kw:welcome

   
kw:welcome-page

   
kw:welcomepage

   
kw:wiki

   
kw:win32

   
kw:win64

   
kw:windows

   
kw:windows-related

   
kw:winscp

   
kw:workaround

   
kw:world-domination

   
kw:wrapper

   
kw:write-enabler

   
kw:wui

   
kw:x86

   
kw:x86-64

   
kw:xhtml

   
kw:xml

   
kw:xss

   
kw:zbase32

   
kw:zetuptoolz

   
kw:zfec

   
kw:zookos-opinion-needed

   
kw:zope

   
kw:zope.interface

   
p/blocker

   
p/critical

   
p/major

   
p/minor

   
p/normal

   
p/supercritical

   
p/trivial

   
r/cannot reproduce

   
r/duplicate

   
r/fixed

   
r/invalid

   
r/somebody else's problem

   
r/was already fixed

   
r/wontfix

   
r/worksforme

   
t/defect

   
t/enhancement

   
t/task

   
v/0.2.0

   
v/0.3.0

   
v/0.4.0

   
v/0.5.0

   
v/0.5.1

   
v/0.6.0

   
v/0.6.1

   
v/0.7.0

   
v/0.8.0

   
v/0.9.0

   
v/1.0.0

   
v/1.1.0

   
v/1.10.0

   
v/1.10.1

   
v/1.10.2

   
v/1.10a2

   
v/1.11.0

   
v/1.12.0

   
v/1.12.1

   
v/1.13.0

   
v/1.14.0

   
v/1.15.0

   
v/1.15.1

   
v/1.2.0

   
v/1.3.0

   
v/1.4.1

   
v/1.5.0

   
v/1.6.0

   
v/1.6.1

   
v/1.7.0

   
v/1.7.1

   
v/1.7β

   
v/1.8.0

   
v/1.8.1

   
v/1.8.2

   
v/1.8.3

   
v/1.8β

   
v/1.9.0

   
v/1.9.0-s3branch

   
v/1.9.0a1

   
v/1.9.0a2

   
v/1.9.0b1

   
v/1.9.1

   
v/1.9.2

   
v/1.9.2a1

   
v/cloud-branch

   
v/unknown
No labels
c/code
c/code-dirnodes
c/code-encoding
c/code-frontend
c/code-frontend-cli
c/code-frontend-ftp-sftp
c/code-frontend-magic-folder
c/code-frontend-web
c/code-mutable
c/code-network
c/code-nodeadmin
c/code-peerselection
c/code-storage
c/contrib
c/dev-infrastructure
c/docs
c/operational
c/packaging
c/unknown
c/website
kw:2pc
kw:410
kw:9p
kw:ActivePerl
kw:AttributeError
kw:DataUnavailable
kw:DeadReferenceError
kw:DoS
kw:FileZilla
kw:GetLastError
kw:IFinishableConsumer
kw:K
kw:LeastAuthority
kw:Makefile
kw:RIStorageServer
kw:StringIO
kw:UncoordinatedWriteError
kw:about
kw:access
kw:access-control
kw:accessibility
kw:accounting
kw:accounting-crawler
kw:add-only
kw:aes
kw:aesthetics
kw:alias
kw:aliases
kw:aliens
kw:allmydata
kw:amazon
kw:ambient
kw:annotations
kw:anonymity
kw:anonymous
kw:anti-censorship
kw:api_auth_token
kw:appearance
kw:appname
kw:apport
kw:archive
kw:archlinux
kw:argparse
kw:arm
kw:assertion
kw:attachment
kw:auth
kw:authentication
kw:automation
kw:avahi
kw:availability
kw:aws
kw:azure
kw:backend
kw:backoff
kw:backup
kw:backupdb
kw:backward-compatibility
kw:bandwidth
kw:basedir
kw:bayes
kw:bbfreeze
kw:beta
kw:binaries
kw:binutils
kw:bitcoin
kw:bitrot
kw:blacklist
kw:blocker
kw:blocks-cloud-deployment
kw:blocks-cloud-merge
kw:blocks-magic-folder-merge
kw:blocks-merge
kw:blocks-raic
kw:blocks-release
kw:blog
kw:bom
kw:bonjour
kw:branch
kw:branding
kw:breadcrumbs
kw:brians-opinion-needed
kw:browser
kw:bsd
kw:build
kw:build-helpers
kw:buildbot
kw:builders
kw:buildslave
kw:buildslaves
kw:cache
kw:cap
kw:capleak
kw:captcha
kw:cast
kw:centos
kw:cffi
kw:chacha
kw:charset
kw:check
kw:checker
kw:chroot
kw:ci
kw:clean
kw:cleanup
kw:cli
kw:cloud
kw:cloud-backend
kw:cmdline
kw:code
kw:code-checks
kw:coding-standards
kw:coding-tools
kw:coding_tools
kw:collection
kw:compatibility
kw:completion
kw:compression
kw:confidentiality
kw:config
kw:configuration
kw:configuration.txt
kw:conflict
kw:connection
kw:connectivity
kw:consistency
kw:content
kw:control
kw:control.furl
kw:convergence
kw:coordination
kw:copyright
kw:corruption
kw:cors
kw:cost
kw:coverage
kw:coveralls
kw:coveralls.io
kw:cpu-watcher
kw:cpyext
kw:crash
kw:crawler
kw:crawlers
kw:create-container
kw:cruft
kw:crypto
kw:cryptography
kw:cryptography-lib
kw:cryptopp
kw:csp
kw:curl
kw:cutoff-date
kw:cycle
kw:cygwin
kw:d3
kw:daemon
kw:darcs
kw:darcsver
kw:database
kw:dataloss
kw:db
kw:dead-code
kw:deb
kw:debian
kw:debug
kw:deep-check
kw:defaults
kw:deferred
kw:delete
kw:deletion
kw:denial-of-service
kw:dependency
kw:deployment
kw:deprecation
kw:desert-island
kw:desert-island-build
kw:design
kw:design-review-needed
kw:detection
kw:dev-infrastructure
kw:devpay
kw:directory
kw:directory-page
kw:dirnode
kw:dirnodes
kw:disconnect
kw:discovery
kw:disk
kw:disk-backend
kw:distribute
kw:distutils
kw:dns
kw:do_http
kw:doc-needed
kw:docker
kw:docs
kw:docs-needed
kw:dokan
kw:dos
kw:download
kw:downloader
kw:dragonfly
kw:drop-upload
kw:duplicity
kw:dusty
kw:earth-dragon
kw:easy
kw:ec2
kw:ecdsa
kw:ed25519
kw:egg-needed
kw:eggs
kw:eliot
kw:email
kw:empty
kw:encoding
kw:endpoint
kw:enterprise
kw:enum34
kw:environment
kw:erasure
kw:erasure-coding
kw:error
kw:escaping
kw:etag
kw:etch
kw:evangelism
kw:eventual
kw:example
kw:excess-authority
kw:exec
kw:exocet
kw:expiration
kw:extensibility
kw:extension
kw:failure
kw:fedora
kw:ffp
kw:fhs
kw:figleaf
kw:file
kw:file-descriptor
kw:filename
kw:filesystem
kw:fileutil
kw:fips
kw:firewall
kw:first
kw:floatingpoint
kw:flog
kw:foolscap
kw:forward-compatibility
kw:forward-secrecy
kw:forwarding
kw:free
kw:freebsd
kw:frontend
kw:fsevents
kw:ftp
kw:ftpd
kw:full
kw:furl
kw:fuse
kw:garbage
kw:garbage-collection
kw:gateway
kw:gatherer
kw:gc
kw:gcc
kw:gentoo
kw:get
kw:git
kw:git-annex
kw:github
kw:glacier
kw:globalcaps
kw:glossary
kw:google-cloud-storage
kw:google-drive-backend
kw:gossip
kw:governance
kw:grid
kw:grid-manager
kw:gridid
kw:gridsync
kw:grsec
kw:gsoc
kw:gvfs
kw:hackfest
kw:hacktahoe
kw:hang
kw:hardlink
kw:heartbleed
kw:heisenbug
kw:help
kw:helper
kw:hint
kw:hooks
kw:how
kw:how-to
kw:howto
kw:hp
kw:hp-cloud
kw:html
kw:http
kw:https
kw:i18n
kw:i2p
kw:i2p-collab
kw:illustration
kw:image
kw:immutable
kw:impressions
kw:incentives
kw:incident
kw:init
kw:inlineCallbacks
kw:inotify
kw:install
kw:installer
kw:integration
kw:integration-test
kw:integrity
kw:interactive
kw:interface
kw:interfaces
kw:interoperability
kw:interstellar-exploration
kw:introducer
kw:introduction
kw:iphone
kw:ipkg
kw:iputil
kw:ipv6
kw:irc
kw:jail
kw:javascript
kw:joke
kw:jquery
kw:json
kw:jsui
kw:junk
kw:key-value-store
kw:kfreebsd
kw:known-issue
kw:konqueror
kw:kpreid
kw:kvm
kw:l10n
kw:lae
kw:large
kw:latency
kw:leak
kw:leasedb
kw:leases
kw:libgmp
kw:license
kw:licenss
kw:linecount
kw:link
kw:linux
kw:lit
kw:localhost
kw:location
kw:locking
kw:logging
kw:logo
kw:loopback
kw:lucid
kw:mac
kw:macintosh
kw:magic-folder
kw:manhole
kw:manifest
kw:manual-test-needed
kw:map
kw:mapupdate
kw:max_space
kw:mdmf
kw:memcheck
kw:memory
kw:memory-leak
kw:mesh
kw:metadata
kw:meter
kw:migration
kw:mime
kw:mingw
kw:minimal
kw:misc
kw:miscapture
kw:mlp
kw:mock
kw:more-info-needed
kw:mountain-lion
kw:move
kw:multi-users
kw:multiple
kw:multiuser-gateway
kw:munin
kw:music
kw:mutability
kw:mutable
kw:mystery
kw:names
kw:naming
kw:nas
kw:navigation
kw:needs-review
kw:needs-spawn
kw:netbsd
kw:network
kw:nevow
kw:new-user
kw:newcaps
kw:news
kw:news-done
kw:news-needed
kw:newsletter
kw:newurls
kw:nfc
kw:nginx
kw:nixos
kw:no-clobber
kw:node
kw:node-url
kw:notification
kw:notifyOnDisconnect
kw:nsa310
kw:nsa320
kw:nsa325
kw:numpy
kw:objects
kw:old
kw:openbsd
kw:openitp-packaging
kw:openssl
kw:openstack
kw:opensuse
kw:operation-helpers
kw:operational
kw:operations
kw:ophandle
kw:ophandles
kw:ops
kw:optimization
kw:optional
kw:options
kw:organization
kw:os
kw:os.abort
kw:ostrom
kw:osx
kw:osxfuse
kw:otf-magic-folder-objective1
kw:otf-magic-folder-objective2
kw:otf-magic-folder-objective3
kw:otf-magic-folder-objective4
kw:otf-magic-folder-objective5
kw:otf-magic-folder-objective6
kw:p2p
kw:packaging
kw:partial
kw:password
kw:path
kw:paths
kw:pause
kw:peer-selection
kw:performance
kw:permalink
kw:permissions
kw:persistence
kw:phone
kw:pickle
kw:pip
kw:pipermail
kw:pkg_resources
kw:placement
kw:planning
kw:policy
kw:port
kw:portability
kw:portal
kw:posthook
kw:pratchett
kw:preformance
kw:preservation
kw:privacy
kw:process
kw:profile
kw:profiling
kw:progress
kw:proxy
kw:publish
kw:pyOpenSSL
kw:pyasn1
kw:pycparser
kw:pycrypto
kw:pycrypto-lib
kw:pycryptopp
kw:pyfilesystem
kw:pyflakes
kw:pylint
kw:pypi
kw:pypy
kw:pysqlite
kw:python
kw:python3
kw:pythonpath
kw:pyutil
kw:pywin32
kw:quickstart
kw:quiet
kw:quotas
kw:quoting
kw:raic
kw:rainhill
kw:random
kw:random-access
kw:range
kw:raspberry-pi
kw:reactor
kw:readonly
kw:rebalancing
kw:recovery
kw:recursive
kw:redhat
kw:redirect
kw:redressing
kw:refactor
kw:referer
kw:referrer
kw:regression
kw:rekey
kw:relay
kw:release
kw:release-blocker
kw:reliability
kw:relnotes
kw:remote
kw:removable
kw:removable-disk
kw:rename
kw:renew
kw:repair
kw:replace
kw:report
kw:repository
kw:research
kw:reserved_space
kw:response-needed
kw:response-time
kw:restore
kw:retrieve
kw:retry
kw:review
kw:review-needed
kw:reviewed
kw:revocation
kw:roadmap
kw:rollback
kw:rpm
kw:rsa
kw:rss
kw:rst
kw:rsync
kw:rusty
kw:s3
kw:s3-backend
kw:s3-frontend
kw:s4
kw:same-origin
kw:sandbox
kw:scalability
kw:scaling
kw:scheduling
kw:schema
kw:scheme
kw:scp
kw:scripts
kw:sdist
kw:sdmf
kw:security
kw:self-contained
kw:server
kw:servermap
kw:servers-of-happiness
kw:service
kw:setup
kw:setup.py
kw:setup_requires
kw:setuptools
kw:setuptools_darcs
kw:sftp
kw:shared
kw:shareset
kw:shell
kw:signals
kw:simultaneous
kw:six
kw:size
kw:slackware
kw:slashes
kw:smb
kw:sneakernet
kw:snowleopard
kw:socket
kw:solaris
kw:space
kw:space-efficiency
kw:spam
kw:spec
kw:speed
kw:sqlite
kw:ssh
kw:ssh-keygen
kw:sshfs
kw:ssl
kw:stability
kw:standards
kw:start
kw:startup
kw:static
kw:static-analysis
kw:statistics
kw:stats
kw:stats_gatherer
kw:status
kw:stdeb
kw:storage
kw:streaming
kw:strports
kw:style
kw:stylesheet
kw:subprocess
kw:sumo
kw:survey
kw:svg
kw:symlink
kw:synchronous
kw:tac
kw:tahoe-*
kw:tahoe-add-alias
kw:tahoe-admin
kw:tahoe-archive
kw:tahoe-backup
kw:tahoe-check
kw:tahoe-cp
kw:tahoe-create-alias
kw:tahoe-create-introducer
kw:tahoe-debug
kw:tahoe-deep-check
kw:tahoe-deepcheck
kw:tahoe-lafs-trac-stream
kw:tahoe-list-aliases
kw:tahoe-ls
kw:tahoe-magic-folder
kw:tahoe-manifest
kw:tahoe-mkdir
kw:tahoe-mount
kw:tahoe-mv
kw:tahoe-put
kw:tahoe-restart
kw:tahoe-rm
kw:tahoe-run
kw:tahoe-start
kw:tahoe-stats
kw:tahoe-unlink
kw:tahoe-webopen
kw:tahoe.css
kw:tahoe_files
kw:tahoewapi
kw:tarball
kw:tarballs
kw:tempfile
kw:templates
kw:terminology
kw:test
kw:test-and-set
kw:test-from-egg
kw:test-needed
kw:testgrid
kw:testing
kw:tests
kw:throttling
kw:ticket999-s3-backend
kw:tiddly
kw:time
kw:timeout
kw:timing
kw:to
kw:to-be-closed-on-2011-08-01
kw:tor
kw:tor-protocol
kw:torsocks
kw:tox
kw:trac
kw:transparency
kw:travis
kw:travis-ci
kw:trial
kw:trickle
kw:trivial
kw:truckee
kw:tub
kw:tub.location
kw:twine
kw:twistd
kw:twistd.log
kw:twisted
kw:twisted-14
kw:twisted-trial
kw:twitter
kw:twn
kw:txaws
kw:type
kw:typeerror
kw:ubuntu
kw:ucwe
kw:ueb
kw:ui
kw:unclean
kw:uncoordinated-writes
kw:undeletable
kw:unfinished-business
kw:unhandled-error
kw:unhappy
kw:unicode
kw:unit
kw:unix
kw:unlink
kw:update
kw:upgrade
kw:upload
kw:upload-helper
kw:uri
kw:url
kw:usability
kw:use-case
kw:utf-8
kw:util
kw:uwsgi
kw:ux
kw:validation
kw:variables
kw:vdrive
kw:verify
kw:verlib
kw:version
kw:versioning
kw:versions
kw:video
kw:virtualbox
kw:virtualenv
kw:vista
kw:visualization
kw:visualizer
kw:vm
kw:volunteergrid2
kw:volunteers
kw:vpn
kw:wapi
kw:warners-opinion-needed
kw:warning
kw:weapi
kw:web
kw:web.port
kw:webapi
kw:webdav
kw:webdrive
kw:webport
kw:websec
kw:website
kw:websocket
kw:welcome
kw:welcome-page
kw:welcomepage
kw:wiki
kw:win32
kw:win64
kw:windows
kw:windows-related
kw:winscp
kw:workaround
kw:world-domination
kw:wrapper
kw:write-enabler
kw:wui
kw:x86
kw:x86-64
kw:xhtml
kw:xml
kw:xss
kw:zbase32
kw:zetuptoolz
kw:zfec
kw:zookos-opinion-needed
kw:zope
kw:zope.interface
p/blocker
p/critical
p/major
p/minor
p/normal
p/supercritical
p/trivial
r/cannot reproduce
r/duplicate
r/fixed
r/invalid
r/somebody else's problem
r/was already fixed
r/wontfix
r/worksforme
t/defect
t/enhancement
t/task
v/0.2.0
v/0.3.0
v/0.4.0
v/0.5.0
v/0.5.1
v/0.6.0
v/0.6.1
v/0.7.0
v/0.8.0
v/0.9.0
v/1.0.0
v/1.1.0
v/1.10.0
v/1.10.1
v/1.10.2
v/1.10a2
v/1.11.0
v/1.12.0
v/1.12.1
v/1.13.0
v/1.14.0
v/1.15.0
v/1.15.1
v/1.2.0
v/1.3.0
v/1.4.1
v/1.5.0
v/1.6.0
v/1.6.1
v/1.7.0
v/1.7.1
v/1.7β
v/1.8.0
v/1.8.1
v/1.8.2
v/1.8.3
v/1.8β
v/1.9.0
v/1.9.0-s3branch
v/1.9.0a1
v/1.9.0a2
v/1.9.0b1
v/1.9.1
v/1.9.2
v/1.9.2a1
v/cloud-branch
v/unknown
Milestone
Clear milestone
No items
No milestone
1.10.1
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
daira
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: tahoe-lafs/trac#2193
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?