pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard
verified publisher icon Gallopsled

installing pwntools pollutes /usr/local/bin

Open tkmikan opened this issue 1 year ago • 7 comments

For a long time, installing pwntools will create console scripts for all files under pwnlib/commandline to /usr/local/bin (or other equivalent path).

(Dry-)Running pip uninstall pwntools will show the files it creates, including

asm,checksec,common,constgrep,cyclic,debug,disablenx,disasm,elfdiff,elfpatch,errno,hex,libcdb,main,phd,pwn,pwnstrip,scramble,shellcraft,template,unhex,update,version

As command accessible globally in PATH,

  • some are meaningful and seem reasonable (e.g. checksec hex)
  • some are confusing (e.g. debug template update version)
  • main and common is not a command at all.

These commands can actually be invoked pwn subcommand. And, the usage help always prepend pwn before the actual script name.

Although there is a flag --only-use-pwn-command, I believe few people know it and use it.

tkmikan avatar Mar 01 '24 14:03 tkmikan

Do you suggest something or just document the current behaviour? Do you want to toggle the default and not create scripts by default? Or only for a few commands?

I agree "update" and "template" are very generic indeed.

We can filter some weird ones out? https://github.com/Gallopsled/pwntools/blob/dev/setup.py#L34

peace-maker avatar Mar 01 '24 18:03 peace-maker

main and common should be removed. As for other "weird ones", IMHO we should avoid installing scripts debug template update version. Others may need some discussion.

I do not have a preference about the default behavior (the flag), but, the bash/zsh completion currently only works under pwn subcommand.

Finally, we should update the doc https://github.com/Gallopsled/pwntools/blob/dev/docs/source/install.rst#command-line-tools

tkmikan avatar Mar 02 '24 04:03 tkmikan

And it seems installing pwntools through homebrew do not have chance to set --only-use-pwn-command

tkmikan avatar Mar 08 '24 03:03 tkmikan

Would you mind proposing a pull request please? I don't own a Mac so can't tell for the homebrew install too.

peace-maker avatar Mar 08 '24 08:03 peace-maker

According to #660, the original plan was to use a single entry point, which is in my favour. But #701 only added the pwn entry and did not remove the aliases, to keep backward compatibility. (The pip install --install-option='--only-use-pwn-command' now is pip install --config-setting="--build-option=--only-use-pwn-command")

Removing scripts in setup.py will take effect at next upgradation. So we need deprecation before actually removing them, in case there are shortcut users.

The two steps:

  1. remove weird ones; deprecate direct invoking the others
  2. remove all entries except pwn

tkmikan avatar Mar 10 '24 13:03 tkmikan

about distro actions:

  • AUR: manually delete everything except pwn ref
  • Debian (Kali): remove the scripts with patch. ref1 and ref2
  • Gentoo: use --only-use-pwn-command ref
  • Pentoo: Perhaps same as gentoo?

By the way, there is checksec for checksec, moreutils for errno.

tkmikan avatar Mar 20 '24 07:03 tkmikan

pip install --config-setting="--build-option=--only-use-pwn-command"

@tkmikan does this command work for you? I still get all of the CLI binaries installed. According to this [1], maybe it actually shouldn't work with install? Hoping to get rid of these annoying CLI binaries except pwn until this issue gets fully fixed.

[1] https://discuss.python.org/t/passing-command-line-arguments-to-pip-install-after-install-options-deprecation/22981/5

gsingh93 avatar Apr 21 '24 23:04 gsingh93