Setuptools "unsafe" as install dependency
prescod opened this issue · comments
I'm working near the limits of my knowledge of Python packaging so please be patient.
If I build a project based on "fs", and have "fs" in my "prod.in" file, pip-tools will complain when I try to generate requirements.txt.
# The following packages are considered to be unsafe in a requirements file:
I can also reproduce this by running pip-compile in the setuptools root directory itself.
The exact reason that this is considered unsafe is slightly unclear, but there is also a CVE that mentions setuptools. That causes my company's scanning tools to also complain about setuptools due to the complaint called sonatype-2014-0148. Which is more or less this issue:
Which was never resolved to Sonatype's satisfaction.
Typically, Setuptools is not an install-time requirement of Python packages. Is there a reason it must be an insall-time requirement for 'fs'?
Installation, no, but setup, yes. You need something like setuptools or poetry to read setup.cfg to get out the installation requirements, unpack metadata, etc.
@willmcgugan or @althonos considering how long ago setuptools 38.3.0 was released (January 2018) we can probably remove that constraint in the setup.cfg file, and that may fix the issue.
Setuptools is listed in Setup.cfg twice:
https://github.com/PyFilesystem/pyfilesystem2/blob/master/setup.cfg#L43
https://github.com/PyFilesystem/pyfilesystem2/blob/master/setup.cfg#L46
I'm proposing to delete the install_requires
part.
Oh I definitely did not see it in the install_requires
part. Sorry about that.
This is just a guess, but perhaps it's related to this ? 🤷
Basically, the reason it appears twice is because we need it on both stages:
- when building the wheel, you need
setuptools >=38
because it's the minimum version that supports reading metadata fromsetup.cfg
files. - when using the library, because the extensions (
fs.sshfs
, etc.) are loaded as entry points. This part could be replaced by a more up-to-date solution likeimportlib.metadata
I guess.
I'm feeling like this shouldn't be a security issue because we specify a minimum version, not a mandatory one. Sure, the minimum one has a CVE, but you should use the latest setuptools
available for the Python version you're using I suppose.