On July 2, 2017 at 12:35:34 PM, Vasilis (andz@torproject.org) wrote:
As Vasilis points out you don’t actually need to install those extra dependencies via pip and are already part of the package installation, however you should NOT install ooniprobe via pip as it’s not the best way to install packages that will run as root.
I don't see a problem with installing the ooniprobe package via pip (running as root). In contrary is a very well tested installation method that has been tested and used for some time in different systems and OSes and the default installation method for all lepidopter images.
Can you elaborate a bit more why installing ooniprobe from pip is not a recommended installation method? For a variety of reasons:
1. Older versions of pip had pretty serious security issues where packages were downloaded in plaintext
2. Still today if a depedency is not hosted on a https site pip will fail open and download it via plaintext
3. By installing packages with pip system wide you run the risk (and it’s actually quite likely) that the pip installed packages will overwrite the system installed package leading to an unstable system (this is especially common for Ubuntu where the system relies heavily of python)
I think 3. is the most important point actually, especially for a users machine.
What I wanted to add is that pip should only ever be used on users machines to install software in a virtualenvironment. It can and will break you system and once you pollute you system wide installation with packages installed with pip it’s really hard to go back to a clean slate.
I think for lepidopter it’s kind of OK at the moment, given the fact that it’s single purpose computer where the user may not mind if some other python software on the system breaks.
~ A.