Python compiler infects "immutable" bundle - how to avoid it?

Sat Feb 22 17:58:33 UTC 2020

On 2/22/20 12:46 PM, Stephan Witt wrote:
> Am 22.02.2020 um 03:35 schrieb Richard Kimberly Heck <rikiheck at lyx.org>:
>> On 2/21/20 12:08 PM, Stephan Witt wrote:
>>> Am 21.02.2020 um 12:08 schrieb Stephan Witt <st.witt at gmx.net>:
>>>> Hi pythonists,
>>>>
>>>> I’m trying to make ready for code signing on Mac.
>>>>
>>>> The idea of code signing is to ship the package with a digital
>>>> signature to guarantee the integrity of the software.
>>>>
>>>> https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
>>>>
>>>> The problem now is arising: the python scripts LyX is using
>>>> are compiled on the fly and the result is placed inside the
>>>> package. That way the package looses its integrity.
>>>>
>>>> Is there any suggestion how to handle this?
>>>>
>>>> I thought about to compile and ship the scripts on my system.
>>>> But this is probably a bad idea - python at runtime can have
>>>> different version. Is it possible to suppress the on the fly
>>>> compile process and what’s the price to pay? Or is it possible
>>>> to direct it to some directory below the .lyx in users home?
>>> I've decided to ship the application with readonly directories.
>>> That way the python interpreter cannot save the compiled code
>>> onto disk to cache the result. ATM I cannot see any performance
>>> issues.
>> Yes, sorry, I do not know any way to prevent this kind of thing from
>> happening. As you
>> see, it's just a matter of caching the compilation.
>>
>> On Windows, we compile the Python files at installation. I don't know if
>> that could help.
> On Mac I'd prefer to avoid that. The python executable is not part of the
> software bundle and therefore its version at runtime is unknown.
>
> OTOH, the lyx package for Centos 7 (in EPEL) contains the precompiled
> python scripts for version 2.x (e.g. configure.pyc).
>
> https://centos.pkgs.org/7/epel-x86_64/lyx-common-2.2.3-1.el7.noarch.rpm.html
>
> But Centos 7 comes with python 2.7.5 as stable standard.
>
> The situation for the packager is more comfortable here.
>
> The standard on Mac is 2.7.17 with 10.14.6 (Mojave today) and I read
> somewhere with 10.15.x (Catalina) python3 is available. But Apple has
> announced the removal of python from standard OS:
>
> "Future versions of macOS won’t include scripting language runtimes by default, and might require you to install additional packages. If your software depends on scripting languages, it’s recommended that you bundle the runtime within the app."
>
> I’m not sure how difficult it would be to put the python universe into the LyX app.

Actually, I kind of mis-spoke. We actually install Python with LyX on
Windows, so we control what version is installed and, in principle,
could pre-compile everything before installation and include the pyc
files in the bundle. We do this because, I gather, there's some issue
about Python detection or getting the right version or something. If we
install it, we know a path to it. Anyway, if we do it there, we could
presumably something similar on OSX.

Riki