Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow execution of setup.py when "pip download --no-deps someproject" #7325

Closed
wimglenn opened this issue Nov 9, 2019 · 4 comments
Closed

Disallow execution of setup.py when "pip download --no-deps someproject" #7325

wimglenn opened this issue Nov 9, 2019 · 4 comments
Labels
auto-locked Outdated issues that have been locked by automation resolution: duplicate Duplicate of an existing issue/PR type: enhancement Improvements to functionality

Comments

@wimglenn
Copy link
Contributor

wimglenn commented Nov 9, 2019
edited
Loading

There appears to be no way to download an sdist without eagerly executing setup.py file. It would be nice to have a "pip download" command that can take advantage of pip's caching layer, custom index config, handling of requirement specifiers and/or environment markers, without accidentally running Python code that could mistakenly think it is going through an installation, may crash due to missing build dependencies, or may even contain malicious code.

pip download --no-deps issue7325 could just get the issue7325-0.1.tar.gz file to current working directory, there's no need to run command egg_info since pip doesn't use the egg_info for anything as far as I can tell..

An example sdist to reproduce the issue:

$ pip download --no-deps issue7325
Collecting issue7325
  Downloading https://files.pythonhosted.org/packages/c0/51/bd28cda650e3f0123ea82936f96b3fd28da90ec8b2af89a9029e25768647/issue7325-0.1.tar.gz
  Saved ./issue7325-0.1.tar.gz
    ERROR: Command errored out with exit status 1:
     command: /usr/local/opt/python/bin/python3.7 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/private/var/folders/ff/fytd5w312lbddqk02qcb7spr0000gn/T/pip-download-zcy4vtvf/issue7325/setup.py'"'"'; __file__='"'"'/private/var/folders/ff/fytd5w312lbddqk02qcb7spr0000gn/T/pip-download-zcy4vtvf/issue7325/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /private/var/folders/ff/fytd5w312lbddqk02qcb7spr0000gn/T/pip-download-zcy4vtvf/issue7325/pip-egg-info
         cwd: /private/var/folders/ff/fytd5w312lbddqk02qcb7spr0000gn/T/pip-download-zcy4vtvf/issue7325/
    Complete output (2 lines):
    setup.py is executing
    setup.py was executed :(
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
@triage-new-issues triage-new-issues bot added the S: needs triage Issues/PRs that need to be triaged label Nov 9, 2019
@chrahunt chrahunt added resolution: duplicate Duplicate of an existing issue/PR S: awaiting response Waiting for a response/more information type: enhancement Improvements to functionality labels Nov 10, 2019
@triage-new-issues triage-new-issues bot removed the S: needs triage Issues/PRs that need to be triaged label Nov 10, 2019
@chrahunt
Copy link
Member

This looks the same as #1884, do you want to take the discussion over there?

@wimglenn
Copy link
Contributor Author

Ouch, open since 2014 ...
Some info seems outdated, is pip install --download just an older spelling of pip download?

@no-response no-response bot removed the S: awaiting response Waiting for a response/more information label Nov 10, 2019
@chrahunt
Copy link
Member

Yes, I updated the title so hopefully it's easier to find.

@pradyunsg
Copy link
Member

Closing in favor of #1884. Thanks for filing this @wimglenn! :)

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Dec 10, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Dec 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation resolution: duplicate Duplicate of an existing issue/PR type: enhancement Improvements to functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chrahunt @pradyunsg @wimglenn