Configure ruff #1028
Configure ruff #1028
Conversation
| @@ -361,12 +352,12 @@ def overall_update_status(results): | |||
|
|
|||
| if updates_failed: | |||
| return UpdateStatus.UPDATES_FAILED | |||
| elif reboot_required: | |||
| if reboot_required: | |||
There was a problem hiding this comment.
(this one's always gonna be weird for me because I feel like the elif is more readable and more like defensive coding even though it's not technically necessary. but okay, ruff.)
There was a problem hiding this comment.
Actually the securedrop-client project ignores these specific ruff rules specifically for readability: https://github.com/freedomofpress/securedrop-client/blob/main/pyproject.toml#L67C1-L68
I ended up not ignoring them here just because it only affected a few places. But we could certainly ignore them here too if you want.
There was a problem hiding this comment.
Thanks for pointing that out, it explains why this stuck out at me so much.
Sorry to nitpick, but for the sake of consistency, let's add back the rules that are specifically about readability, so that we have the same standards on all projects.
So that would be, to my eye
# superflous-else- rules, find they hurt readability
"RET505", "RET506", "RET507", "RET508",
# Find contextlib.suppress() is harder to read
"SIM105",
# Find ternary statements harder to read
"SIM108",
# Using any()/all() can be harder to read
"SIM110",
There was a problem hiding this comment.
Can we re-run the automated fixes now that those rules are suppressed? i.e. back out these changes here and elsewhere
|
Thanks for preparing this, this looks great. I'm going to look into the lock file issue now. We use the lockfile only in the Updater/+Notifier, eg to make sure that we're not bugging the user to run updates while they're already running updates. (Edit: I remember something vaguely upsetting, like closing the file will remove all locks. But I'm trying to refresh my memory.) |
|
tldr: good bugfinding eye, but as far as I can tell, we can leave the lock file logic as is. The lock is attached to the life of the process (in our case the updater or notifier job), and closing the file would release any locks that were being held by another process. 😒 The same process that obtains the shared lock can obtain the exclusive lock later. more:
the python docs weren't as illuminating but this other article on lwn was also helpful. So....I think this is okay, specifically because of the short-lived nature of the updater and notifier, as opposed to obtaining a temporary lock that should not last the length of eg a long-running application. But we could comment or document this issue better, and |
micahflee
dismissed
rocodes’s stale review
The merge-base changed after approval.
micahflee
dismissed
rocodes’s stale review
The merge-base changed after approval.
| poetry run isort . | ||
| .PHONY: check-ruff | ||
| check-ruff: ## Check Python source code formatting with ruff | ||
| poetry run ruff check |
There was a problem hiding this comment.
I think we also need to check ruff format - https://github.com/freedomofpress/securedrop-client/blob/2e2fdca7d280044e54578c5d4a6643a3207c77e5/Makefile#L34
| @@ -38,10 +39,11 @@ def destroy_vm(vm): | |||
| Destroys a single VM instance. Requires arg to be | |||
| QubesVM object. | |||
| """ | |||
| assert SDW_DEFAULT_TAG in vm.tags | |||
| if SDW_DEFAULT_TAG not in vm.tags: | |||
| raise Exception | |||
There was a problem hiding this comment.
Can we have an error message here?
| flake8: ## Validate PEP8 compliance for Python source files | ||
| poetry run flake8 | ||
| .PHONY: ruff | ||
| ruff: ## Fix Python source code formatting with ruff |
There was a problem hiding this comment.
Can we either call this fix or alias that to this? In the spirit of freedomofpress/securedrop-tooling#11.
| assert contents == current_time | ||
| with open(flag_file_dom0) as f: | ||
| contents = f.read() | ||
| assert contents == current_time |
There was a problem hiding this comment.
the assert can happen outside the with statement
| # Figure out how much each completed VM should bump the progress bar. | ||
| assert progress_end > progress_start | ||
| if progress_end <= progress_start: | ||
| raise Exception |
There was a problem hiding this comment.
same, can we have an error message here?
| @@ -361,12 +352,12 @@ def overall_update_status(results): | |||
|
|
|||
| if updates_failed: | |||
| return UpdateStatus.UPDATES_FAILED | |||
| elif reboot_required: | |||
| if reboot_required: | |||
There was a problem hiding this comment.
Can we re-run the automated fixes now that those rules are suppressed? i.e. back out these changes here and elsewhere
Status
Ready for review
Description of Changes
Fixes #1022.
This replaces flake8, bandit, black, and isort with ruff!
Many of the things that ruff flagged were
assertstatements invalidate_config.py, and I already fixed those in #1025. So rather than fixing them again here, I merged that branch into this branch. So please review and merge #1025 first.I started copying the ruff config from freedomofpress/securedrop-client#1885, but then I paired it down to only include what's needed for this repo.
I added
S108(probably insecure usage of /tmp) to the ignore list, as it was being triggered just on this code insdw_updater/Updater.py:I also added a per-file-ignore for
SIM115(use context handler for opening files) forsdw_util/Util.pyspecifically for theobtain_lockandcan_obtain_lockfunctions. This check wants you to open files using thewithstatement so they automatically close, but in this case these functions open files and then return the file handle. So I think making an exception is fine.Though I did notice a potential small bug. In
can_obtain_lock, the lock file is opened temporarily, just to see if it can be opened, but I don't think it's ever closed since it returns a bool instead of the file handle -- though maybe this is fine and I just don't understand howfcntl.lockfworks: