On SELinux systems, with the dev-python/networkx-2.6.2 upgrade, fortran now wants to be pulled in due to the dependency on scipy/LAPACK: - These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sys-libs/pam-1.5.1-r1::gentoo [1.5.1::gentoo] USE="(audit) filecaps (selinux) (split-usr) -berkdb -debug -nis" 0 KiB [ebuild R ] sys-devel/gcc-10.3.0-r2:10::gentoo USE="(cxx) fortran* hardened lto nls nptl openmp pgo (pie) sanitize (ssp) (-ada) -d -debug -doc (-fixed-point) -go -graphite -jit (-libssp) (-multilib) -objc -objc++ -objc-gc (-pch) -systemtap -test -vanilla -vtv -zstd" 0 KiB [ebuild N ] virtual/fortran-0::gentoo USE="openmp" 0 KiB [ebuild N ] sci-libs/lapack-3.9.0-r1::gentoo USE="-deprecated -doc -eselect-ldso -lapacke -test" 7358 KiB [ebuild N ] dev-cpp/eigen-3.3.9:3::gentoo USE="openmp (-cuda) -debug -doc -test" 2093 KiB [ebuild N ] virtual/lapack-3.8::gentoo USE="-eselect-ldso" 0 KiB [ebuild N ] virtual/cblas-3.8::gentoo USE="-eselect-ldso" 0 KiB [ebuild N ] virtual/blas-3.8::gentoo USE="-eselect-ldso" 0 KiB [ebuild N ] sci-libs/arpack-3.8.0::gentoo USE="-doc -examples -mpi" 991 KiB [ebuild N ] dev-python/pybind11-2.6.2::gentoo USE="-test" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 633 KiB [ebuild R ] dev-python/numpy-1.21.1::gentoo USE="lapack* -doc -test" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 0 KiB [ebuild N ] dev-python/scipy-1.6.3::gentoo USE="-doc -sparse -test" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 26551 KiB [ebuild N ] dev-python/numexpr-2.7.3::gentoo USE="(-mkl)" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 112 KiB [ebuild N ] dev-python/bottleneck-1.3.2::gentoo USE="-test" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 101 KiB [ebuild N ] dev-python/pandas-1.2.4::gentoo USE="-X (-doc) -full-support -minimal -test" PYTHON_TARGETS="python3_9 -python3_8" 5341 KiB [ebuild U ] dev-python/networkx-2.6.2::gentoo [2.5::gentoo] USE="-examples -extras -test -xml -yaml (-pandas%) (-scipy%)" PYTHON_TARGETS="python3_9 (-python3_10) -python3_8" 1799 KiB [ebuild U ] sys-apps/dbus-1.12.20-r3::gentoo [1.12.20-r2::gentoo] USE="(selinux) -X -debug -doc -elogind -static-libs (-systemd) -test -user-session" 0 KiB However, networkx does not have a hard-dependency on either pandas or scipy: - https://github.com/networkx/networkx/blob/main/INSTALL.rst - https://github.com/networkx/networkx/blob/main/setup.py#L165-L169 I placed the updated ebuild in a local overlay and removed the dependency lines, and indeed the SELinux tools work fine without them.
(This seems to be causing issues for releng@ as it's causing Fortran to be dragged in, hence CCing them.) It looks like the new release of networkx moves towards deprecating some of the non-scipy backed implementations, and while they exist for now, this problem may well resurface in the future. This seems relevant: https://github.com/networkx/networkx/pull/4967. Seems like we could try split some of the deps into another USE flag I guess for the purposes of the SELinux tools.
It used to have a hard-depend shortly, then they've reverted it. I'm more surprised that stages are pulling networkx in the first place.
Here's the dependency chain: emerge: there are no ebuilds built with USE flags to satisfy "sys-devel/gcc[fortran,openmp?]". !!! One of the following packages is required to complete your request: - sys-devel/gcc-9.4.0::gentoo (Change USE: +fortran) (dependency required by "virtual/fortran-0::gentoo" [ebuild]) (dependency required by "sci-libs/lapack-3.9.0-r1::gentoo" [ebuild]) (dependency required by "virtual/blas-3.8::gentoo" [ebuild]) (dependency required by "sci-libs/arpack-3.8.0::gentoo" [ebuild]) (dependency required by "dev-python/scipy-1.6.3::gentoo[-test]" [ebuild]) (dependency required by "dev-python/bottleneck-1.3.2::gentoo[-test]" [ebuild]) (dependency required by "dev-python/pandas-1.3.1::gentoo[-minimal]" [ebuild]) (dependency required by "dev-python/networkx-2.6.2::gentoo" [ebuild]) (dependency required by "app-admin/setools-4.4.0::gentoo" [installed]) (dependency required by "sys-apps/selinux-python-3.2::gentoo[-test]" [installed]) (dependency required by "sys-apps/policycoreutils-3.2::gentoo" [installed]) (dependency required by "sec-policy/selinux-shutdown-2.20210203-r1::gentoo" [ebuild]) (dependency required by "sys-apps/sysvinit-2.99::gentoo" [installed]) (dependency required by "sys-apps/openrc-0.43.5::gentoo[-sysv-utils]" [ebuild]) (dependency required by "net-misc/netifrc-0.7.3::gentoo" [installed])
FWICS selinux-python doesn't use parts of setools that actually require networkx... but the whole import models is totally misdesigned, and it imports everything ever added to setools. I suppose I can come up with a patch.
Created attachment 735475 [details, diff] selinux-imports.patch Could you try this patch to selinux-python? That, plus making dep on networkx in setools optional should resolve the immediate issue.
I've applied the patch and the utilities in selinux-python/setools work correctly.
ping
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65a8caada278ace834cf6d6e36e3b5b2ada0c858 commit 65a8caada278ace834cf6d6e36e3b5b2ada0c858 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-19 06:30:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-19 06:30:30 +0000 app-admin/setools: make networkx dep optional Closes: https://bugs.gentoo.org/809038 Signed-off-by: Sam James <sam@gentoo.org> app-admin/setools/{setools-4.4.0.ebuild => setools-4.4.0-r1.ebuild} | 4 ++-- app-admin/setools/setools-9999.ebuild | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91ebad34fdd2900c65166dc14fd583fd6b75cc3a commit 91ebad34fdd2900c65166dc14fd583fd6b75cc3a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-09-19 06:17:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-19 06:30:29 +0000 sys-apps/selinux-python: don't import all of setools Bug: https://bugs.gentoo.org/809038 Signed-off-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> .../selinux-python-3.2-optional-networkx.patch | 271 +++++++++++++++++++++ ...hon-3.2.ebuild => selinux-python-3.2-r1.ebuild} | 4 + 2 files changed, 275 insertions(+)
I still get issues without NetworkX, patch submitted upstream: https://lore.kernel.org/selinux/20210919130904.59107-1-jason@perfinion.com/T/#u # semanage export Traceback (most recent call last): File "/usr/lib/python-exec/python3.9/semanage", line 29, in <module> import seobject File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module> import sepolicy File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 15, in <module> from setools.boolquery import BoolQuery File "/usr/lib/python3.9/site-packages/setools/__init__.py", line 94, in <module> from .infoflow import InfoFlowAnalysis File "/usr/lib/python3.9/site-packages/setools/infoflow.py", line 24, in <module> import networkx as nx ModuleNotFoundError: No module named 'networkx' # semanage export Traceback (most recent call last): File "/usr/lib/python-exec/python3.9/semanage", line 29, in <module> import seobject File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module> import sepolicy File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 15, in <module> from setools.boolquery import BoolQuery File "/usr/lib/python3.9/site-packages/setools/__init__.py", line 98, in <module> from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition File "/usr/lib/python3.9/site-packages/setools/dta.py", line 27, in <module> import networkx as nx ModuleNotFoundError: No module named 'networkx'
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f71727658471fee1873b279387edf2ebaf10d76 commit 9f71727658471fee1873b279387edf2ebaf10d76 Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2021-09-19 13:17:19 +0000 Commit: Jason Zaman <perfinion@gentoo.org> CommitDate: 2021-09-19 13:22:13 +0000 app-admin/setools: Make NetworkX dep optional selinux commit ba23ba068364ab11ff51f52bd1e20e3c63798a62 "python: Import specific modules from setools for less deps" Makes userspace tools only need specific parts of setools so that the NetworkX dep can be dropped for minimal installations. Unfortunately the __init__ still imports the parts which require NetworkX. Wrap them in try except to guard for missing NetworkX. Bug: https://bugs.gentoo.org/809038 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Jason Zaman <perfinion@gentoo.org> ...01-__init__.py-Make-NetworkX-dep-optional.patch | 62 ++++++++++++++++++++++ ...ols-4.4.0-r1.ebuild => setools-4.4.0-r2.ebuild} | 3 +- 2 files changed, 64 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=623c029d762d84af78b897536357119470189abf commit 623c029d762d84af78b897536357119470189abf Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2021-09-20 13:11:16 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2021-09-20 13:11:16 +0000 dev-python/networkx: make all dependencies optional - Make all dependencies as optional, in accordance to upstream https://github.com/networkx/networkx/commit/5b86d913117ee22d9522755d607b5c6256cd57b9 - Remove all USE flags, as those are just runtime optional deps - Remove examples USE flag, as those are installed unconditionally by build system - bump to EAPI=8 - test dependencies were selected as minimal as possible Bug: https://bugs.gentoo.org/809038 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-python/networkx/networkx-2.6.3.ebuild | 40 +++++++++++++------------------ 1 file changed, 17 insertions(+), 23 deletions(-)
