-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it safe to pin setuptools/distribute/pip in requirements.txt? #6459
Comments
The pinning issue aside, why is a Markdown module depending on setuptools in the first place? :( |
Python-Markdown requires pytest requires I don't know that either of those reasons was necessary, but are they a problem? It seems better to tell package authors "go ahead and depend on features of a minimum setuptools if you want to," rather than "be sure to support all versions of setuptools in use" -- otherwise new features of setuptools will take many years to be usable. But if package authors are allowed to set minimum setuptools versions, then it also seems better (safer?) to pin that version in a requirements.txt file rather than letting each deployment end up with a different version. |
I’d say there are better ways to do what the packages want to do. Maybe conceptually there is a case pip should handle itself (and setuptools) more gracefully in hash mode, or maybe pip-tools should allow pip/setuptools to be locked, that’s up for discussion. These particular usages do no make a strong case, however, IMHO. |
The pytest usecase is pretty reasonable, isn't it? setuptools introduced an updated config file format and they want to use it -- that seems OK. I poked around a bit more via a Google search on github. Some other popular packages setting minimum setuptools versions: kubernetes-client requires setuptools>=21.0.0; ipython requires setuptools>=18.5 I'm not sure it really matters how good the reasons are, does it? It's valid syntax; it's harmless, as far as anyone knows; it presumably solved a problem when introduced; and it's used in popular packages. Trying to convince package authors to never use it seems like a harder approach than tweaking pip-tools to handle it -- unless for some reason that wouldn't work. |
I believe |
But regardless of whether Pytest can do better, I believe setuptools should be able to be pinned, since it does have a Python API ( |
…ying when deploying. see pypa/pip#4995 or pypa/pip#6459
The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](jazzband/pip-tools#806) and from [pip](pypa/pip#6459). Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
) * ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * ci: create hash-pinned requirements files for build and publish processes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: change ci files to install build and publish dependencies using hashes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: fix path to requirements files Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: rebuild the requirement.txt files using `--allow-unsafe` The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](jazzband/pip-tools#806) and from [pip](pypa/pip#6459). Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build requirements files to a separated folder Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflow): requirements download was erasing work from previous steps Using the actions/checkout to download the requirements.txt was erasing some necessary files that came from previous steps. Thus, this commit changes moves the checkout action to the beginnig of the jobs. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove reference to inexistent input in pypi-publish.yml * docs(workflows): remove comment related to a line already delated from code Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): use a workflow-level env var to define path to build requirements file Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflows): refer to env vars using ${{ }} sintax Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build and publish requirements files Moved from .github/workflows/requirements/ to .github/requirements/ Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(workflows): add comments on requirements files explaining their relation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci(workflows): update build dependencies to match exactly the ones at pyproject.toml Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove unnecessary parameter When calling actions/checkout , we were passing the `ref` parameter as `github.ref`, but it will likely be always main, or the vary same value as the default for this parameter. * Update dependabot config to cover build/publish dependencies --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
…is unsafe for uknown reasons, pypa/pip#6459
pip 19.1
Python 3.5.3
macOS 10.14.4
As documented in this issue over at pip-tools, if you install packages like
pytest
orMarkdown
with--require-hashes
you have to pin a specific version ofsetuptools
as well, because it's included in their dependencies:The pip-tools project does not pin setuptools without the scary-sounding
--allow-unsafe
flag, because "it may cause conflicts with pip itself". But the maintainers don't currently have a failing test case or know what the conflict would be. It also appears that setuptools was vendored by pip at some point, which might have changed the equation.Can anyone on the pip side clarify under what circumstances it might be safe or unsafe to pin setuptools, and thus what the correct behavior would be for
pip-compile --generate-hashes
in the linked bug? To promote the use of --require-hashes, it would be great to either narrow pip-compile's definition of "unsafe", or provide clearer instructions about how to handle the unsafety when needed.The other two packages on pip-compile's "unsafe" list are
distribute
andpip
itself, so I guess the same question applies to those as well -- are there any risks as far aspip
is concerned to pinning them if necessary to satisfy--require-hashes
?Thanks!
The text was updated successfully, but these errors were encountered: