Bug 2216297 - Review Request: rust-expectrl - Tool for automating terminal applications in Unix like Don libes expect
Summary: Review Request: rust-expectrl - Tool for automating terminal applications in ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-20 19:09 UTC by blinxen
Modified: 2023-06-24 18:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-06-24 18:07:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description blinxen 2023-06-20 19:09:50 UTC 
Spec URL: https://blinxen.fedorapeople.org/rust-expectrl/rust-expectrl.spec
SRPM URL: https://blinxen.fedorapeople.org/rust-expectrl/rust-expectrl-0.7.0-1.fc39.src.rpm
Description: A tool for automating terminal applications in Unix like Don libes expect.
Fedora Account System Username: blinxen
Comment 1 Fabio Valentini 2023-06-24 17:20:22 UTC 
Hm, this crate is going to be problematic:

The dependency on "python" is not good, since this resolves to "python-unversioned-command", which should no longer be used. However, the source code explicitly spawns "python" processes, so this would likely need to be patched in all places to spawn "python3" instead (or patch out the "spawn_python()" functions in "src/repl.rs"). Though looking at the source code, I'm almost certain that most of this stuff is never going to be used anyway (I doubt that anything will try to spawn a PowerShell REPL on Linux).

Additionally, the "Requires: python" (which should be "python3" as well) is ending up in a void, since it does not apply to any sub-package that's being built. You'd need to move it to the "-devel" subpackage for it to have the desired effect.

However, looking at this weird crate, and the fact that it's likely only going to be used for running some tests, I'd drop the dependency and the tests that use it. It appears that only the gix-prompt crate would be affected?
Comment 2 blinxen 2023-06-24 18:07:23 UTC 
> The dependency on "python" is not good, since this resolves to "python-unversioned-command", which should no longer be used

Any specific reason for this? Source? I tried looking into the python packaging guidelines but did not find anything relevant there.

> Additionally, the "Requires: python" (which should be "python3" as well) is ending up in a void, since it does not apply to any sub-package that's being built. You'd need to move it to the "-devel" subpackage for it to have the desired effect.

Makes sense

> It appears that only the gix-prompt crate would be affected?

```
> rg expectrl
Cargo.lock
1011:name = "expectrl"
2046: "expectrl",

gix-prompt/CHANGELOG.md
65:    - Finally update expectrl to get rid of security exception in tests ([`d45f57a`](https://github.com/Byron/gitoxide/commit/d45f57a714e29cc52239a3456cf0035c97339f73))
159:    - The first successful assertion, showing that expectrl can intercept the tty ([`8582697`](https://github.com/Byron/gitoxide/commit/8582697cc21adc5eeb67155a0e4b0e2780d37beb))
222:    - Upgrade `expectrl` - still comes with dependencies flagged as vulnerable though ([`f9312d5`](https://github.com/Byron/gitoxide/commit/f9312d5719056006267d50370d366fc316b882cf))

gix-prompt/tests/prompt.rs
11:        let mut p = expectrl::spawn("../target/debug/examples/use-askpass").unwrap();
15:        p.expect(expectrl::Eof).unwrap();
25:        let mut p = expectrl::spawn("../target/debug/examples/credentials").unwrap();
32:        p.expect(expectrl::Eof).unwrap();

gix-prompt/Cargo.toml
28:expectrl = "0.7.0"

```

Yeah it seems that way. I guess deactivating the tests is not such a bad idea here.

Closing this package review.
Note You need to log in before you can comment on or make changes to this bug.