Re: [W3af-develop] W3af Ubuntu 13.10
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] W3af Ubuntu 13.10
|
From: Andres R. <and...@gm...> - 2014-02-12 16:53:18
|
On Wed, Feb 12, 2014 at 1:15 PM, Taras <ox...@ox...> wrote: > Andres, > > Sorry for delayed reply. > > >> Not sure if I'm understanding your point. >> >> * The pdfminer issue occurred because we had this requirement: >> pdfminer (no version requirement) >> * If we specify something like: pdfminer>=3, then we're fine until >> they release version 4 which breaks their API and w3af breaks > > Breaking of API is unusual and infrequent case in normal software. Agreed, but we already found one issue with this and don't want to find more in the future. I thought that specifying the exact version was the best solution, but at least for what you're saying, it is not. Can you propose a solution that will be bullet-proof? > In another case it will break current package system ideology in Linux distros. Not sure why you say that? Could you please explain? > Just try to find e.g. in Ubuntu repository package with such strict > dependencies. It will be difficult task! Which command do I run to get such a list? Also, there should be a way in ubuntu packaging to solve this issue... I believe its not a big deal and we're not unique. I bet there are many packages which are in this dilemma: * Package A depends on library X version 1 * Package B depends on library X version 2 * A won't work with X.2 * B won't work with X.1 We certainly need a packaging expert for solving this part of the discussion! I don't know enough about it, or care enough to learn. If in the future someone wants to package w3af, I'll try to remember this discussion and let him know. > >> * If we specify the version: pdfminer==3, then we're fine for ever. > > Yes, we're fine, but **who** and **how** will be able to install and use > w3af? Virtualenv is not solution for the end user. Only for development. Who? Every user How? git clone ... cd w3af ./w3af_console <follow steps in output> The only problem I see here is that when following the steps in the output this might happen: * User installed in the past package A version 2 using apt-get install * User installs w3af using the instructions above * w3af requires A version 3 * By following the instructions, A.2 is overwritten by A.3 Is that what is worrying you? > >> >>> В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: >>>> >>>> Andres, >>>> >>>> When I talked about packaging problem I meant problems with supported >>>> versions of e.g. python libs for current popular distros. Consider we >>>> have >>>> e.g. some Debian/Ubuntu distro and want to package/install w3af from >>>> official repo. w3af from feature/package branch requires lxml version >>>> exactly 2.3.2, but supported and packaged version of lxml for Ubuntu >>>> 13.10 >>>> is 3.2.0! >>>> >>>> $ apt-cache show python-lxml >>>> Package: python-lxml >>>> Priority: optional >>>> Section: python >>>> Installed-Size: 2390 >>>> Maintainer: Ubuntu Developers <ubu...@li...> >>>> Original-Maintainer: Matthias Klose <do...@de...> >>>> Architecture: amd64 >>>> Source: lxml >>>> Version: 3.2.0-1 >>>> >>>> Because of that you can't simply make and provide w3af thought official >>>> repo. No one package maintainer will support several packaged minor >>>> versions of single lib.And for the end user there is only one way to >>>> install and use w3af. It is virtualenv + git clone :( >>>> >>>>>> 1. It makes impossible to package&install w3af, e.g. into deb package, >>>>>> doesn't it? >>>>> >>>>> >>>>> That's a good question, I'm not packaging expert but I suppose there >>>>> is a solution? Also I suppose that this was an issue in the past, >>>>> >>>>> without the specific version requirement? Lets follow this timeline: >>>>> * (assume) w3af is packaged in debian. Requires extra package >>>>> >>>>> python-pdfminer-v1. No check for specific version of any pip package. >>>>> >>>>> * foo is another debian package. Requires extra package >>>>> >>>>> python-pdfminer-v2 * User installs w3af: apt-get install w3af >>>>> >>>>> * Run w3af, it works >>>>> * User installs foo: apt-get install foo >>>>> >>>>> - Command will warn that it will break the w3af install? (not >>>>> >>>>> sure, not a packaging expert) >>>>> >>>>> - Command will succeed and replace python-pdfminer-v1 with >>>>> >>>>> python-pdfminer-v2 >>>>> >>>>> * Run foo, it works >>>>> * Run w3af, it fails because now python-pdfminer-v2, which changes >>>>> >>>>> the API is installed >>>>> >>>>>> 2. If w3af requires 3rd party A version 1 and another application on >>>>>> the >>>>>> system also requires 3rd party A but version 1.1, how it will be >>>>>> solved >>>>>> by >>>>>> the user? >>>>> >>>>> >>>>> First, lets understand that this was an issue in the past too, right? >>>>> >>>>> You can always use virtualenv: >>>>> $ virtualenv w3af-venv >>>>> $ . w3af-venv/bin/activate >>>>> (w3af-venv)$ cd w3af-repo >>>>> (w3af-venv)/w3af-repo$ ./w3af_console >>>>> (w3af-venv)/w3af-repo$ pip install ... >>>>> >>>>> All the packages are installed inside the w3af-venv directory, and >>>>> while your prompt says "w3af-venv" you're using that specific python >>>>> >>>>> Regards, >>>>> >>>>>> В письме от 29 января 2014 19:03:23 пользователь Andres Riancho >>>>>> написал: >>>>>>> >>>>>>> Taras, >>>>>>> >>>>>>> Added that because it is the best thing to do. Search the >>>>>>> mailing >>>>>>> >>>>>>> list for the issue we had with pdfminer, what happen there was: >>>>>>> * w3af had a requirement for pdfminer, any version >>>>>>> * w3af worked without issues with version 1 of that library >>>>>>> * The pdfminer developers released version 2 of that library >>>>>>> * People trying to install w3af, and because the requirement >>>>>>> >>>>>>> didn't had any specific version installed pdfminer like "pip install >>>>>>> pdfminer" >>>>>>> >>>>>>> * w3af stopped working because pdfminer changed its API, and >>>>>>> >>>>>>> one of the functions we were calling wasn't there anymore >>>>>>> >>>>>>> * Fix> Add specific version matching for pip packages >>>>>>> >>>>>>> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: >>>>>>>> >>>>>>>> I was wrong...I have working **master** branch :( >>>>>>>> >>>>>>>> Andres, why did you add requirement for **exact** match of versions >>>>>>>> in >>>>>>>> 'feature/module' branch? >>>>>>>> >>>>>>>> $ grep -B5 'version matches' >>>>>>>> w3af/core/controllers/dependency_check/dependency_check.py >>>>>>>> >>>>>>>> for w3af_req in pip_packages: >>>>>>>> if USE_PIP_MODULE: >>>>>>>> dependency_specs = w3af_req.package_name, >>>>>>>> w3af_req.package_version >>>>>>>> >>>>>>>> for dist in pip_distributions: >>>>>>>> if (dist.project_name, dist.version) == >>>> >>>> >>>> dependency_specs: >>>>>>>> >>>>>>>> # It's installed and the version matches! >>>>>>>> >>>>>>>> ... >>>>>>>> >>>>>>>> В письме от 26 января 2014 14:39:14 пользователь Taras написал: >>>>>>>>> >>>>>>>>> Israel, I have working "feature/module" version of w3af on 13.10 >>>>>>>>> What problems do you have? >>>>>>>>> >>>>>>>>> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho >>>> >>>> >>>> написал: >>>>>>>>>> >>>>>>>>>> Israel, >>>>>>>>>> >>>>>>>>>> Haven't tried with that specific version, but what's wrong >>> >>> with: >>>>>>>>>> >>>>>>>>>> git clone gi...@gi...:andresriancho/w3af.git >>>>>>>>>> cd w3af >>>>>>>>>> git checkout feature/module >>>>>>>>>> ./w3af_console >>>>>>>>>> >>>>>>>>>> On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >>>>>>>>>> >>>>>>>>>> <isr...@gm...> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi, does anyone have a working way to install W3af on 13.10? >>>>>>>>>>> -- >>>>>>>>>>> Israel >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>> -- >>>>>>>>>>> --- >>>>>>>>>>> --- >>>>>>>>>>> -- >>>>>>>>>>> ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>>>>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>>>>>>>>> Critical Workloads, Development Environments & Everything In >>>>>>>>>>> Between. >>>>>>>>>>> Get a Quote or Start a Free Trial Today. >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 >>>>>>>>>>> /o >>>>>>>>>>> stg >>>>>>>>>>> .cl >>>>>>>>>>> kt >>>>>>>>>>> rk _______________________________________________ >>>>>>>>>>> W3af-develop mailing list >>>>>>>>>>> W3a...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Taras >>>>>>>> https://www.oxdef.info >>>>>> >>>>>> >>>>>> -- >>>>>> Taras >>>>>> https://www.oxdef.info >>> >>> >>> -- >>> Taras >>> https://www.oxdef.info >> >> >> >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
