-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Enforcing abi3 compliance? #395
Comments
More context:
|
Just to post an update: I'm currently working on a standalone tool that scans wheels for abi3 violations. I think most of the code there will be reusable and integratable into |
@woodruffw, I read 2 different things:
The first one is not something that can be done I think. |
Sorry for the late response! Yes, I agree that enforcing abi3 compliance isn't something that can be done. I'm currently working on the aforementioned standalone tool: https://github.com/trailofbits/abi3audit |
Just following up: my company published a writeup of our findings using the tool above: https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/ In particular, a significant fraction (1/6th) of all packages containing ABI3 wheels have at least one mis-tagged wheel, suggesting that there would be a significant ecosystem benefit to automated detection. |
Thanks for the update. I saw that it only supports cp310+, it probably is a showstopper for now if we want to make that check mandatory ? |
Yep, I wrote it for 3.10+ because it was greenfield. I'm happy to port it downwards to 3.7 or 3.8, though, if it would help with integrations. I was thinking that it probably makes sense to make the check mandatory, since users otherwise won't know to opt into it and it shouldn't have any false positives. But I'm open to either approach! |
JFYI: We've cut a release ( |
First of all, thanks a ton for maintaining
auditwheel
! I've been a happy user for years.Has anybody considered extending
auditwheel
to double-check that a wheel'sabi3
tag is actually consistent with its contents? I can see this being useful/valuable to the community for a handful of reasons:abi3
tag in a wheel filename is just metadata, not a strong signal that the wheel is actuallyabi3
compatible with a particular Python version.abi3
compatible is to use setuptools'--py-limited-abi=...
flag, which doesn't actually set the underlyingPy_LIMITED_API
macro on any native extension builds. As such, it's possible that some wheels currently tagged asabi3
on PyPI and other indices are not actuallyabi3
, and are working purely by luck.In both cases, being tagged as
abi3
but not actually beingabi3
has reliability (hard to debug crashes because of ABI changes) and security (memory corruption from the same) implications.If there's interest in this, it's something I can look into.
The text was updated successfully, but these errors were encountered: