Make use of pypemicro optional or remove dependency on it altogether #30
Comments
Remove version pinning: nxp-mcuxpresso/spsdk#35 Remove use of pypemicro: nxp-mcuxpresso/pypemicro#10 nxp-mcuxpresso/spsdk#30 Remove use of pyocd-pemicro: pyocd/pyOCD#1319 Remove use of libusbsio: nxp-mcuxpresso/spsdk#36 git-svn-id: file:///srv/repos/svn-community/svn@1133098 9fca08f4-af9d-4005-b8df-a31f2cc04f65
Remove version pinning: nxp-mcuxpresso/spsdk#35 Remove use of pypemicro: nxp-mcuxpresso/pypemicro#10 nxp-mcuxpresso/spsdk#30 Remove use of pyocd-pemicro: pyocd/pyOCD#1319 Remove use of libusbsio: nxp-mcuxpresso/spsdk#36 git-svn-id: file:///srv/repos/svn-community/svn@1133098 9fca08f4-af9d-4005-b8df-a31f2cc04f65
|
@saper @mstarecek @mwsk sorry for pinging you here as well. The issue in nxp-mcuxpresso/pypemicro#10 is still unresolved, which means that packaging pypemicro somwhere downstream is still legally very questionable and from a security perspective also quite dubious. It would be very good if NXP could address this issue. |
|
That is very kind of you to tag me here but I don't have the powers to do anything about it. Still running a locally modified version of https://github.com/NXPmicro/spsdk/releases/tag/0.2.2, wonder how much it will take to update - so I can't even battle-test it. |
My bad! I was under the impression that you were somehow affiliated, having contributed to the repository!
ouf... |
|
Don't we have the same problem with https://pypi.org/project/pylink-square/ ? Maybe J-Link works with OpenOCD so one can mostly work it around, but I don't think OpenOCD can talk to pemicro stuff. |
Why? Does it also bundle shared libraries with obfuscated code from unknown origin? ;-)
That's largely what I'm doing for the downstream package: https://github.com/archlinux/svntogit-community/blob/19938f5cab9adf93da26c09ebeb8111ed1bdc59b/trunk/python-spsdk-1.6.0-remove_pypemicro.patch But given that no pull requests in this repository ever get merged I don't think providing one would make much sense for me (also I don't know what the maintainers think about this change either). |
https://pypi.org/project/pylink-square/ Python interface for the SEGGER J-Link. Requirements
maybe it works for you... |
|
|
But good news is, those packages do install, they just don't work - I don't see a problem here. |
|
pylink-square installs just fine. If people then require some custom additional non-free blob, that is not my problem as a system's packager. However, if you think that this is problematic it would probably be good to bring this up with the upstream. E.g. the SEGGER downloads are only available behind a EULA. With pypemicro it is more problematic, as the python package itself vendors a shared library of unknown origin and license (see nxp-mcuxpresso/pypemicro#10). This is nothing I can even package/redistribute legally as there is no proof whatsoever that it would be allowed. |
|
I see what you mean: I'd say this is a distribution policy problem. But if you want to disallow this, you have to patch. Maybe maintainers would be open to make both dependencies optional, i.e. removed from |
I'd go as far as saying that that is a supply chain nightmare. Spsdk is pulled in for projects such as pynitrokey which is used to interact with security tokens that store private key information. There should be no unknown shared lib involved, that can not be accounted for at all. I was very happy to see that the maintainers changed their mind in regards to libusbsio (see #36). |
|
When I was packaging it for myself for Gentoo as a dependency of pynitrokey I decided to delete the PEmicro code as I won't need it. There are two other choices of debug probes (any pyOCD probe, or JLink/pyLink) which are either fully open source or (pyLink) have the proprietary shared library as an optional part the user can install manually. |
|
Note that since 2.0.0 the patch has to be modified a bit to not modify diff -ruN a/spsdk/debuggers/utils.py b/spsdk/debuggers/utils.py
--- a/spsdk/debuggers/utils.py 2022-02-04 14:27:29.000000000 +0100
+++ b/spsdk/debuggers/utils.py 2022-02-14 00:05:11.017196467 +0100
@@ -15,7 +15,6 @@
from spsdk import SPSDKError
from spsdk.debuggers.debug_probe import DebugProbe, SPSDKDebugProbeError, SPSDKProbeNotFoundError
from spsdk.debuggers.debug_probe_jlink import DebugProbePyLink
-from spsdk.debuggers.debug_probe_pemicro import DebugProbePemicro
# Import all supported debug probe classes
from spsdk.debuggers.debug_probe_pyocd import DebugProbePyOCD
@@ -23,7 +22,6 @@
PROBES = {
"pyocd": DebugProbePyOCD,
"jlink": DebugProbePyLink,
- "pemicro": DebugProbePemicro,
}
logger = logging.getLogger(__name__)All tests pass successfully with this. Note that pynitrokey isn't yet compatible with spsdk 2.0.0. |
|
@PureTryOut thanks for the heads up! A new version of pynitrokey supporting spsdk > 2, <2.1 has just been released and adapting the patch comes in handy. 🙇 |
|
And with 2.1.0 the patch yet again would have to address I'm less and less inclined wanting to package any of this stuff.. 🙄 |
|
pypemicro is no longer in requirements.txt |
|
This lib still has a dependency on pyocd-pemicro which depends on pypemicro |
|
So do you want to reopen this issue? |
Hi! As raised in nxp-mcuxpresso/pypemicro#10 I believe that the origins of the shared libraries provided by the pypemicro package are not trustworthy enough to be shipped to users.
Please consider removing this dependency altogether or at least making it an optional dependency for this project.
From a packaging perspective I do not feel comfortable packaging spsdk with it depending on pypemicro and would remove its use from the source code if necessary, until legal claims and claims of origin are resolved for the shared libraries in question.
The text was updated successfully, but these errors were encountered: