Browse Source

build: don't allow setuptools to sneakily install build-time deps

see https://pip.pypa.io/en/stable/reference/pip_install/#controlling-setup-requires
> Setuptools offers the setup_requires setup() keyword for specifying
> dependencies that need to be present in order for the setup.py
> script to run. Internally, Setuptools uses easy_install to
> fulfill these dependencies.
> pip has no way to control how these dependencies are located.
> None of the package index options have an effect.

With these changes, we will now instead hard fail if this were to happen.

related: https://github.com/spesmilo/electrum/issues/5859#issuecomment-743621898
patch-4
SomberNight 4 years ago
parent
commit
19f806ddf4
No known key found for this signature in database GPG Key ID: B33B5F232C6271E9
  1. 2
      contrib/build-linux/appimage/build.sh
  2. 2
      contrib/build-linux/sdist/build.sh
  3. 2
      contrib/build-wine/prepare-wine.sh
  4. 22
      contrib/build_tools_util.sh
  5. 2
      contrib/osx/make_osx
  6. 6
      setup.cfg

2
contrib/build-linux/appimage/build.sh

@ -94,6 +94,8 @@ python='appdir_python'
info "installing pip." info "installing pip."
"$python" -m ensurepip "$python" -m ensurepip
break_legacy_easy_install
info "preparing electrum-locale." info "preparing electrum-locale."
( (

2
contrib/build-linux/sdist/build.sh

@ -12,6 +12,8 @@ DISTDIR="$PROJECT_ROOT/dist"
# note that at least py3.7 is needed, to have https://bugs.python.org/issue30693 # note that at least py3.7 is needed, to have https://bugs.python.org/issue30693
python3 --version || fail "python interpreter not found" python3 --version || fail "python interpreter not found"
break_legacy_easy_install
# upgrade to modern pip so that it knows the flags we need. # upgrade to modern pip so that it knows the flags we need.
# we will then install a pinned version of pip as part of requirements-build-sdist # we will then install a pinned version of pip as part of requirements-build-sdist
python3 -m pip install --upgrade pip python3 -m pip install --upgrade pip

2
contrib/build-wine/prepare-wine.sh

@ -60,6 +60,8 @@ for msifile in core dev exe lib pip tools; do
wine msiexec /i "$PYTHON_DOWNLOADS/${msifile}.msi" /qb TARGETDIR=$PYHOME wine msiexec /i "$PYTHON_DOWNLOADS/${msifile}.msi" /qb TARGETDIR=$PYHOME
done done
break_legacy_easy_install
info "Installing build dependencies." info "Installing build dependencies."
$PYTHON -m pip install --no-dependencies --no-warn-script-location -r "$CONTRIB"/deterministic-build/requirements-build-wine.txt $PYTHON -m pip install --no-dependencies --no-warn-script-location -r "$CONTRIB"/deterministic-build/requirements-build-wine.txt

22
contrib/build_tools_util.sh

@ -129,3 +129,25 @@ fi
export GCC_STRIP_BINARIES="${GCC_STRIP_BINARIES:-0}" export GCC_STRIP_BINARIES="${GCC_STRIP_BINARIES:-0}"
function break_legacy_easy_install() {
# We don't want setuptools sneakily installing dependencies, invisible to pip.
# This ensures that if setuptools calls distutils which then calls easy_install,
# easy_install will not download packages over the network.
# see https://pip.pypa.io/en/stable/reference/pip_install/#controlling-setup-requires
# see https://github.com/pypa/setuptools/issues/1916#issuecomment-743350566
info "Intentionally breaking legacy easy_install."
DISTUTILS_CFG="${HOME}/.pydistutils.cfg"
DISTUTILS_CFG_BAK="${HOME}/.pydistutils.cfg.orig"
# If we are not inside docker, we might be overwriting a config file on the user's system...
if [ -e "$DISTUTILS_CFG" ] && [ ! -e "$DISTUTILS_CFG_BAK" ]; then
warn "Overwriting python distutils config file at '$DISTUTILS_CFG'. A copy will be saved at '$DISTUTILS_CFG_BAK'."
mv "$DISTUTILS_CFG" "$DISTUTILS_CFG_BAK"
fi
cat <<EOF > "$DISTUTILS_CFG"
[easy_install]
index_url = ''
find_links = ''
EOF
}

2
contrib/osx/make_osx

@ -72,6 +72,8 @@ PYTHON_CONFIGURE_OPTS="--enable-framework" pyenv install -s $PYTHON_VERSION && \
pyenv global $PYTHON_VERSION || \ pyenv global $PYTHON_VERSION || \
fail "Unable to use Python $PYTHON_VERSION" fail "Unable to use Python $PYTHON_VERSION"
break_legacy_easy_install
# create a fresh virtualenv # create a fresh virtualenv
# This helps to avoid older versions of pip-installed dependencies interfering with the build. # This helps to avoid older versions of pip-installed dependencies interfering with the build.
VENV_DIR="$CONTRIB_OSX/build-venv" VENV_DIR="$CONTRIB_OSX/build-venv"

6
setup.cfg

@ -0,0 +1,6 @@
[easy_install]
# We don't want setuptools sneakily installing dependencies, invisible to pip.
# see https://pip.pypa.io/en/stable/reference/pip_install/#controlling-setup-requires
# see https://github.com/pypa/setuptools/issues/1916#issuecomment-743350566
index_url = ''
find_links = ''
Loading…
Cancel
Save