Audit complains about python extension modules being linked to Python framework binary, but upstream is using python-config


(Alexei Colin) #1

I’m packaging tdb (trivialdb) library (hosted by Samba). Audit is not passing due to this complaint:

* python modules have explicit framework links
  These python extension modules were linked directly to a Python
  framework binary. They should be linked with -undefined dynamic_lookup
  instead of -lpython or -framework Python.

But, upstream is using python-config --ldflags to get the linking flags to link the python extension, which return -lpython2.7 -ldl. This seems to be the correct way.

Am I supposed to convince upstream to add an option into their build system to override these flags specifically to make Homebrew happy? This is not viable.

How is this handled in other packages?


(Andrew Bartlett) #2

As I mention in the (now closed) PR https://github.com/samba-team/samba/pull/203#issuecomment-409411462 Samba’s use of python is perhaps unique in that we have not only python modules but a shared helper library, re-used in the modules and elsewhere, in a number of the sub-projects (talloc, ldb) that uses the CPython API.

Additionally we are about to move to a new waf and to python3 which will change things again.