Make "./configure --enable-download-from-upstream-url" the default

[mkoeppe]

This has been available since 9.3 and may be ready for general consumption

See also: #32406 Make ./configure --enable-editable the default

Depends on #34766

CC: @kliem @jhpalmieri

Component: build

Author: Matthias Koeppe

Branch/Commit: 6a3da67

Reviewer: Dima Pasechnik

Issue created by migration from https://trac.sagemath.org/ticket/32390

[dimpase]

comment:1

I'd also make "enable-dowload-from-upstream-url" default

[kliem]

comment:2

Replying to @dimpase:

I'd also make "enable-dowload-from-upstream-url" default

-1

Just downloading something from some url and installling it is something, I would want to be notified about. I think it is opt-in and not opt-out.

(I opted in, but I still think this is a choice, a user has to make.)

[dimpase]

comment:3

Replying to @kliem:

Replying to @dimpase:

I'd also make "enable-dowload-from-upstream-url" default

-1

Just downloading something from some url and installling it is something, I would want to be notified about. I think it is opt-in and not opt-out.

it's checking the checksums.
Why would you trust Sage mirrors more - do you think that
our checksums are not secure?

(I opted in, but I still think this is a choice, a user has to make.)

[mkoeppe]

comment:4

I have rededicated this ticket to the topic of discussion taking place in the comments.

[mkoeppe]

comment:8

As a compromise, we could also do a yes/no prompt when --enable-dowload-from-upstream-url has not been used; just like we do when experimental packages are to be installed

[dimpase]

comment:11

just make it default. The only security problem here would be a rogue branch with checksums verifying a rogue package. It's only very marginally less secure than packages from our mirrors.

[jhpalmieri]

comment:12

I agree that it should be the default. As long as we maintain the practice of keeping our own copies of current versions of package tarballs on Sage mirrors (and I think we should maintain this), then this will only affect developers testing a new release of some package. The security problems are pretty small, I think.

Regarding "Just downloading something from some url and installing it is something, I would want to be notified about", I think that occasionally we miss a package and so this happens anyway. Maybe we've patched something to prevent this? Do any of the github actions (or similar) test building Sage without an internet connection?

[jhpalmieri]

comment:14

Time to revisit this?

[mkoeppe]

Branch: u/mkoeppe/make____configure___enable_download_from_upstream_url__the_default

[mkoeppe]

Author: Matthias Koeppe

[mkoeppe]

Commit: 3e0e1dc

[mkoeppe]

New commits:

3e0e1dc

configure.ac: Make --enable-download-from-upstream-url the default

[sagetrac-git]

Changed commit from 3e0e1dc to 362f454

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

362f454

.github/workflows/dist.yml (release_dist): Use --disable-download-from-upstream-url

[mkoeppe]

comment:20

Replying to John Palmieri:

Regarding "Just downloading something from some url and installing it is something, I would want to be notified about", I think that occasionally we miss a package and so this happens anyway.

Yes, we have a GH Actions workflow (release_dist) that checks that at least all standard packages exist on the mirror (because make dist downloads them all and puts them in the sdist tarball). We do not have such a check for optional packages.

[dimpase]

Reviewer: Dima Pasechnik

[dimpase]

comment:21

this works

[mkoeppe]

comment:22

Thank you!

[vbraun]

comment:23

Merge failure on top of:

34266283ab5 Trac #29360: change_ring() should preserve sparsity of vectors and vector spaces

1f56ce0e9d7 Trac #27652: parent of plethysm

019537d9929 Trac #34693: Further support for matplotlib 3.6

59e9f7b4f01 Trac #34658: Update numpy to 1.23.5, scipy 1.9.3, networkx 2.8.8, meson_python 0.11.0

6d03a671290 Trac #34593: Document and manage temporary directories

454290087ec Trac #33842: Upgrade python to 3.11

f53f07a Trac #34766: GH Actions: Update actions

795383f Trac #34728: change sorting for WeierstrassIsomorphism

2cec793 Trac #33562: Bad error message for weighted adjacency matrix

3670306 Trac #34740: dead hyperlinks in developer manual

9666ae7 Trac #34722: some code cleanup in WeierstrassIsomorphism

f41abf6 Trac #34759: some details in filtered simplicial complexes

dfc299b Trac #34756: Documentation regarding setting up SageMath's Jupyter kernel in an existing installation points to wrong directory

513a7bc Trac #34753: fix all W391 in pyx files

7503e42 Trac #34751: Update sage tutorial

623ea74 Trac #34745: modernize super in algebras/ again

f2fa759 Trac #34741: OS X 13: filter out dylib warning

a4748c3 Trac #34738: tiny details in symbolic min and max

fb213df Trac #34769: use libgap in simplicial_complex

01beb6a Trac #34765: meson: Add spkg-configure.m4

d94c733 Trac #34762: Fix random chain complex doctest

b3398f0 Trac #34761: Remove src/sage/libs/fes.pyx

3c42a39 Trac #34754: Remove module-level imports from sage.plot

0d12058 Trac #34569: Fix some quasimodular forms rings methods for congruence subgroups

84f02af Updated SageMath version to 9.8.beta4

merge was not clean: conflicts in .github/workflows/dist.yml

[mkoeppe]

Dependencies: #34766

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

bd193c4	.github/workflows: Update actions
6a3da67	Merge #34766

[sagetrac-git]

Changed commit from 362f454 to 6a3da67

[vbraun]

Changed branch from u/mkoeppe/make____configure___enable_download_from_upstream_url__the_default to 6a3da67