Setuptools "unsafe" as install dependency

Question

Setuptools "unsafe" as install dependency

prescod opened this issue 2 years ago · comments

I'm working near the limits of my knowledge of Python packaging so please be patient.

If I build a project based on "fs", and have "fs" in my "prod.in" file, pip-tools will complain when I try to generate requirements.txt.

# The following packages are considered to be unsafe in a requirements file:

I can also reproduce this by running pip-compile in the setuptools root directory itself.

The exact reason that this is considered unsafe is slightly unclear, but there is also a CVE that mentions setuptools. That causes my company's scanning tools to also complain about setuptools due to the complaint called sonatype-2014-0148. Which is more or less this issue:

pypa/setuptools#227

Which was never resolved to Sonatype's satisfaction.

Typically, Setuptools is not an install-time requirement of Python packages. Is there a reason it must be an insall-time requirement for 'fs'?

Diego Argueta · Answer 1 · Wed Apr 20 2022 02:58:21 GMT+0800 (China Standard Time)

Installation, no, but setup, yes. You need something like setuptools or poetry to read setup.cfg to get out the installation requirements, unpack metadata, etc.

@willmcgugan or @althonos considering how long ago setuptools 38.3.0 was released (January 2018) we can probably remove that constraint in the setup.cfg file, and that may fix the issue.

Paul Prescod · Answer 2 · Wed Apr 20 2022 05:20:29 GMT+0800 (China Standard Time)

Setuptools is listed in Setup.cfg twice:

https://github.com/PyFilesystem/pyfilesystem2/blob/master/setup.cfg#L43
https://github.com/PyFilesystem/pyfilesystem2/blob/master/setup.cfg#L46

I'm proposing to delete the install_requires part.

Diego Argueta · Answer 3 · Wed Apr 20 2022 07:41:28 GMT+0800 (China Standard Time)

Oh I definitely did not see it in the install_requires part. Sorry about that.

Andrew Scheller · Answer 4 · Wed Apr 20 2022 18:07:49 GMT+0800 (China Standard Time)

This is just a guess, but perhaps it's related to this ? 🤷

Martin Larralde · Answer 5 · Sun Apr 24 2022 18:35:46 GMT+0800 (China Standard Time)

Basically, the reason it appears twice is because we need it on both stages:

when building the wheel, you need setuptools >=38 because it's the minimum version that supports reading metadata from setup.cfg files.
when using the library, because the extensions (fs.sshfs, etc.) are loaded as entry points. This part could be replaced by a more up-to-date solution like importlib.metadata I guess.

I'm feeling like this shouldn't be a security issue because we specify a minimum version, not a mandatory one. Sure, the minimum one has a CVE, but you should use the latest setuptools available for the Python version you're using I suppose.