From 3196f8f1a1350d2432bb7b9f1244d198d4f9b789 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sun, 1 Aug 2021 15:01:47 +0200
Subject: [PATCH] add more warnings against using pip install for production
 setups

---
 README.md | 32 ++++++++++++++++++++------------
 setup.py  |  4 +++-
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index fe8a113c..8c0fd44d 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,14 @@
-# uffd
+# Uffd
 
 This is the UserFerwaltungsFrontend.
 A web service to manage LDAP users, groups and permissions.
 
 Development chat: [#uffd-development](https://rocket.cccv.de/channel/uffd-development)
 
-## dependencies
+## Dependencies
+
+Please note that we refere to debian packages here and **not** pip packages.
+
 - python3
 - python3-ldap3
 - python3-flask
@@ -17,11 +20,9 @@ Development chat: [#uffd-development](https://rocket.cccv.de/channel/uffd-develo
 - python3-flask-babel
 
 Some of the dependencies (especially fido2 and flask-oauthlib) changed their API in recent versions, so make sure to install the versions from Debian Buster.
-You can also use virtualenv with the supplied `requirements.txt`.
+For development, you can also use virtualenv with the supplied `requirements.txt`.
 
-## development
-
-Clone this repository with the `--recurse-submodules` flag to retrieve submodule dependencies.
+## Development
 
 Before running uffd, you need to create the database with `flask db upgrade`. The database is placed in
 `instance/uffd.sqlit3`.
@@ -38,30 +39,37 @@ You can do so by setting `LDAP_SERVICE_MOCK=True` in the config.
 Afterwards you can login as a normal user with "testuser" and "userpassword", or as an admin with "testadmin" and "adminpassword".
 Please note that the mocked LDAP functionality is very limited and many uffd features do not work correctly without a real LDAP server.
 
-## deployment
+## Deployment
+
+You should absolutly never use `pip install uffd` to deploy to production. Using a pip deployment for production will result in not updated dependencies is insecure.
+Our pip dependencies are not regularly updated and neither tested. They just represent the version Debian based their packages on.
+Instead we relay on the packaged Debian python packages and security updates done by Debian.
+The pip package mainly exists for testing and as a required step to build the .deb package.
 
-Use uwsgi. Make sure to run `flask db upgrade` after every update!
+To deploy to production, use our .deb package. It uses uwsgi to run uffd and ships an `uffd-admin` to execute flask commands in the correct context.
+If you upgrade, make sure to run `flask db upgrade` after every update! The Debian package takes care of this by itself using uwsgi pre start hooks.
 For an example uwsgi config, see our [uswgi.ini](uwsgi.ini). You might find our [nginx include file](nginx.include.conf) helpful to setup a web server in front of uwsgi.
 
-## python style conventions
+## Python Coding Style Conventions
 
 PEP 8 without double new lines, tabs instead of spaces and a max line length of 160 characters.
+We ship a [pylint](https://pylint.org/) config to verify changes with.
 
-## Config
+## Configuration
 
 Uffd reads its default config from `uffd/default_config.cfg`.
 You can overwrite config variables by creating a config file in the `instance` folder.
 The file must be named `conifg.cfg` (Python syntax), `config.json` or `config.yml`/`config.yaml`.
 You can also set a custom file name with the environment variable `CONFIG_FILENAME`.
 
-## Bind with service account or as user?
+## Bind with LDAP service account or as user?
 
 Uffd can use a dedicated service account for LDAP operations by setting `LDAP_SERVICE_BIND_DN`.
 Leave that variable blank to use anonymouse bind.
 Or set `LDAP_SERVICE_USER_BIND` to use the credentials of the currently logged in user.
 
 If you choose to run with user credentials, some features are not available, like password resets
-or self signup, since in both cases, no user credentials can exist. 
+or self signup, since in both cases, no user credentials can exist.
 
 ## OAuth2 Single-Sign-On Provider
 
diff --git a/setup.py b/setup.py
index b7b1370c..9bbdc1b1 100644
--- a/setup.py
+++ b/setup.py
@@ -3,6 +3,7 @@ import os
 
 with open('README.md', 'r', encoding='utf-8') as f:
 	long_description = f.read()
+	long_description = '**DO NOT INSTALL FROM PIP FOR PRODUCTION DEPLOYMENTS**, see [Deployment](#Deployment) for more information.\n\n\n\n' + long_description
 
 setup(
 	name='uffd',
@@ -29,7 +30,8 @@ setup(
 	zip_safe=False,
 	python_requires='>=3.7',
 	install_requires=[
-		# Versions from Debian Buster
+		# Versions Debian Buster packages are based on.
+		# DO NOT USE FOR PRODUCTION, those in the setup.py are not updated regularly
 		'ldap3==2.4.1',
 		'flask==1.0.2',
 		'Flask-SQLAlchemy==2.1',
-- 
GitLab