Anybody using the old waf?

James Browning jamesb192 at jamesb192.com
Fri Mar 28 20:09:49 UTC 2025 

On Thursday, March 27, 2025 9:29:33 PM Pacific Daylight Time Fred Wright via 
devel wrote:
> On Fri, 28 Mar 2025, Matt Selsky wrote:
> > On Thu, Mar 27, 2025 at 02:48:54PM -0700, Fred Wright via devel wrote:
> >> I've confirmed that it works with Python 2.7, including building the
> >> extension.  That means that shebanging it to 'python3' is inappropriate,
> >> unless there are systems with a 'python3' command and no 'python'
> >> command.
> > 
> > Hi Fred,
> > 
> > There are definitely systems with python3 and no python. Eg, Debian 12 for
> > example.
> > 
> > What specifically is currently shebanged to python3 and maybe needs to be
> > changed?
> I'm referring to waf.  It's easily worked around, though technically not
> having a 'python' command is a bug, since code that works with both Python
> 2 and Python 3 is supposed to use the more generic 'python' in the shebang
> line.  The absence of Python 2 doesn't change that.

It breaks the embedded signature few people check.

```
$ wget https://gitlab.com/ita1024/waf/raw/master/utils/verify-sig.py
Saving 'verify-sig.py'
HTTP response 200  [https://gitlab.com/ita1024/waf/raw/master/utils/verify-sig.py]
verify-sig.py        100% [============================>]    1.27K    --.-KB/s
                          [Files: 1  Bytes: 1.27K [1.54KB/s] Redirects: 0  
Todo: 0  Errors: 0  ]
$ gpg --receive-keys 8C7EB2F93B0C45F5732FE5D11BAC571DCD772295
gpg: key 1BAC571DCD772295: public key "Waf Project <noreply at waf.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ python ./verify-sig.py
-> 'gpg --verify waf-sig.asc'
gpg: assuming signed data in 'waf-sig'
gpg: Signature made Tue 12 Nov 2024 11:09:43 AM PST
gpg:                using RSA key 8C7EB2F93B0C45F5732FE5D11BAC571DCD772295
gpg: Good signature from "Waf Project <noreply at waf.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8C7E B2F9 3B0C 45F5 732F  E5D1 1BAC 571D CD77 2295
$ sed "1s/3$//" -i waf
$ python ./verify-sig.py
-> 'gpg --verify waf-sig.asc'
gpg: assuming signed data in 'waf-sig'
gpg: Signature made Tue 12 Nov 2024 11:09:43 AM PST
gpg:                using RSA key 8C7EB2F93B0C45F5732FE5D11BAC571DCD772295
gpg: BAD signature from "Waf Project <noreply at waf.io>" [unknown]
```

More information about the devel mailing list