installing pwntools pollutes /usr/local/bin

Gallopsled / pwntools

CTF framework and exploit development library

http://pwntools.com

Other

11.74k stars 1.67k forks source link

installing pwntools pollutes /usr/local/bin #2361

Open tkmikan opened 4 months ago

tkmikan commented 4 months ago

For a long time, installing pwntools will create console scripts for all files under pwnlib/commandline to /usr/local/bin (or other equivalent path).

(Dry-)Running pip uninstall pwntools will show the files it creates, including

asm,checksec,common,constgrep,cyclic,debug,disablenx,disasm,elfdiff,elfpatch,errno,hex,libcdb,main,phd,pwn,pwnstrip,scramble,shellcraft,template,unhex,update,version

As command accessible globally in PATH,

some are meaningful and seem reasonable (e.g. checksec hex)
some are confusing (e.g. debug template update version)
main and common is not a command at all.

These commands can actually be invoked pwn subcommand. And, the usage help always prepend pwn before the actual script name.

Although there is a flag --only-use-pwn-command, I believe few people know it and use it.

peace-maker commented 4 months ago

Do you suggest something or just document the current behaviour? Do you want to toggle the default and not create scripts by default? Or only for a few commands?

I agree "update" and "template" are very generic indeed.

We can filter some weird ones out? https://github.com/Gallopsled/pwntools/blob/dev/setup.py#L34

tkmikan commented 4 months ago

main and common should be removed. As for other "weird ones", IMHO we should avoid installing scripts debug template update version. Others may need some discussion.

I do not have a preference about the default behavior (the flag), but, the bash/zsh completion currently only works under pwn subcommand.

Finally, we should update the doc https://github.com/Gallopsled/pwntools/blob/dev/docs/source/install.rst#command-line-tools

tkmikan commented 4 months ago

And it seems installing pwntools through homebrew do not have chance to set --only-use-pwn-command

peace-maker commented 4 months ago

Would you mind proposing a pull request please? I don't own a Mac so can't tell for the homebrew install too.

tkmikan commented 4 months ago

According to #660, the original plan was to use a single entry point, which is in my favour. But #701 only added the pwn entry and did not remove the aliases, to keep backward compatibility. (The pip install --install-option='--only-use-pwn-command' now is pip install --config-setting="--build-option=--only-use-pwn-command")

Removing scripts in setup.py will take effect at next upgradation. So we need deprecation before actually removing them, in case there are shortcut users.

The two steps:

remove weird ones; deprecate direct invoking the others
remove all entries except pwn

tkmikan commented 4 months ago

about distro actions:

AUR: manually delete everything except pwn ref
Debian (Kali): remove the scripts with patch. ref1 and ref2
Gentoo: use --only-use-pwn-command ref
Pentoo: Perhaps same as gentoo?

By the way, there is checksec for checksec, moreutils for errno.

gsingh93 commented 3 months ago

pip install --config-setting="--build-option=--only-use-pwn-command"

@tkmikan does this command work for you? I still get all of the CLI binaries installed. According to this [1], maybe it actually shouldn't work with install? Hoping to get rid of these annoying CLI binaries except pwn until this issue gets fully fixed.

[1] https://discuss.python.org/t/passing-command-line-arguments-to-pip-install-after-install-options-deprecation/22981/5