vendoring logic subtly breaks later usage of unvendored system versions after importing pkg_resources.extern #1383
Comments
|
I believe issue #580 is related. Seems setuptools maintainers were considering switching to the pip approach regarding vendoring to fix such issues. |
|
The origin of that hack is 6a5145a. Even though I wrote that code and I've stared at it for at least 15 minutes, I don't fully understand what's going on there. It seems plausible that the hack is over-reaching and really should only be employed when there's a prefix. So let's give that patch a go. |
|
In the commit, @richard-scott reports that the patch (subtly altered) didn't fix the issue. What we could use at this point is a way to replicate the issue. Could someone devise a recipe that replicates the issue (preferably in a virtualenv and cross-platform or in a docker image). |
|
All I did was install a fresh Ubuntu server and attempt to list outdated packages: That said, I've removed the fix and the above command now works. My setup does automatically patch any pip packages on boot, so one of those may have been updated. I'm currently running pip-10.0.1, and setuptools-40.0.0. |
pganssle
added
Needs Triage
@richard-scott This might be the reason for the breakage. You need setuptools >= 40.0.0 and pip >= 19.1 to get this command working with unvendored pip. |
|
Signal boost for #2052, closed as a duplicate of this issue, which contains a lot of context and discussion. |
|
The sole replication I have for this issue is that from @richard-scott, which appears no longer to be an issue: The examples from the original post don't include prerequisite steps, so it's difficult to tell what Is this issue still present? If so, what use-cases are still degraded? |
|
This still happens when unvendoring is done, i.e. after removing My reproducer is: Unfortunately, something similar happens in polybar's sphinx logic. IIUC one |
|
Ironically, this bug is now causing 60.6.0 tests to fail: _______________________________________________________ TestDepends.testRequire _______________________________________________________
[gw10] linux -- Python 3.9.10 /tmp/portage/dev-python/setuptools-60.6.0/work/setuptools-60.6.0-pypy3/install/usr/bin/pypy3
self = <setuptools.tests.test_setuptools.TestDepends object at 0x000055ee2b945d70>
@needs_bytecode
def testRequire(self):
req = Require('Json', '1.0.3', 'json')
assert req.name == 'Json'
assert req.module == 'json'
> assert req.requested_version == version.Version('1.0.3')
E AssertionError: assert <Version('1.0.3')> == <Version('1.0.3')>
E +<Version('1.0.3')>
E -<Version('1.0.3')>
req = <setuptools.depends.Require object at 0x000055ee2ea540c8>
self = <setuptools.tests.test_setuptools.TestDepends object at 0x000055ee2b945d70>
/tmp/portage/dev-python/setuptools-60.6.0/work/setuptools-60.6.0/setuptools/tests/test_setuptools.py:94: AssertionError
|
|
If anyone else's still looking for a "good enough" hack, I've ended up taking unbundling one step further and removing |
The CI runs of sherpa#1752 after pulling in this branch sherpa#1753 started to fail because of a warning message that I could not replicate. A search lead to this set of issues - pypa/setuptools#2104 - pypa/setuptools#2052 - pypa/setuptools#1383 which suggests there's a subtle interaction between pip and setuptools that we are falling over. As we currently have setuptools pinned to < 60, whilst the distutils changes coming in Python 3.12 work through the ecosystem, the OTS code we run is likely to hit this issue (i.e. nothing we can fix) so we can just skip the warnings. Hopefully we can remove these additions soon.
In theory, if pkg_resources.extern is devendored, it should defer to the system installation of e.g. packaging, which means that:
It would be expected that I could then compare the results, since they're the same thing.
Oops?
For comparison, this works fine when using the similarly devendored pip.
Note that pkg_resources must not be devendored from pip, or else it must be deleted from vendor/__init__.py, since otherwise it will be automatically imported. Even importing pkg_resources causes pip to fail as well.
vs.
pypa/pip#5429 (comment) suggested the problem is deleting the global module unconditionally, whenever something vendored is in use. This strikes me as incredibly dangerous.
The text was updated successfully, but these errors were encountered: