Commit 4066f7f6 authored by Xavier Thompson's avatar Xavier Thompson

[feat] Prevent pip installing setup_requires

Use a special .pydistutils.cfg in a temporary HOME directory for
the duration of the pip wheel run to prevent build dependencies
specified in a setup_requires from being installed on the fly
without respecting pinned versions.
parent 085baf94
...@@ -1737,6 +1737,8 @@ def call_pip_wheel(spec, dest, options): ...@@ -1737,6 +1737,8 @@ def call_pip_wheel(spec, dest, options):
distribution specified by `spec` into `dest`. distribution specified by `spec` into `dest`.
Returns all the paths inside `dest` created by the above. Returns all the paths inside `dest` created by the above.
""" """
cleanup = []
try:
args = [sys.executable, '-m', 'pip', 'wheel', '--no-deps', '-w', dest] args = [sys.executable, '-m', 'pip', 'wheel', '--no-deps', '-w', dest]
level = logger.getEffectiveLevel() level = logger.getEffectiveLevel()
if level >= logging.INFO: if level >= logging.INFO:
...@@ -1744,8 +1746,10 @@ def call_pip_wheel(spec, dest, options): ...@@ -1744,8 +1746,10 @@ def call_pip_wheel(spec, dest, options):
else: else:
args.append('-v') args.append('-v')
# Try to prevent pip from installing build dependencies implicitly # Prevent pip from installing build dependencies on the fly
# and without respecting pinned versions, on the fly # without respecting pinned versions. This only works for
# PEP 517 specifications using pyproject.toml and not for
# dependencies in setup_requires option in legacy setup.py
if not options._allow_picked_versions: if not options._allow_picked_versions:
args.append('--no-index') args.append('--no-index')
args.append('--no-build-isolation') args.append('--no-build-isolation')
...@@ -1779,7 +1783,19 @@ def call_pip_wheel(spec, dest, options): ...@@ -1779,7 +1783,19 @@ def call_pip_wheel(spec, dest, options):
sys.stdout.flush() # We want any pending output first sys.stdout.flush() # We want any pending output first
subprocess.check_call(list(args), env=env) # Prevent setuptools from downloading and thus installing
# build dependencies specified in setup_requires option of
# legacy setup.py by providing a crafted .pydistutils.cfg.
# This is used in complement to --no-build-isolation.
if not options._allow_picked_versions:
pip_home = tempfile.mkdtemp('pip-pydistutils-home')
cleanup.append(lambda: zc.buildout.rmtree.rmtree(pip_home))
with open(os.path.join(pip_home, '.pydistutils.cfg'), 'w') as f:
f.write("[easy_install]\n"
"index_url = file:///dev/null")
env['HOME'] = pip_home
subprocess.check_call(args, env=env)
entries = os.listdir(dest) entries = os.listdir(dest)
try: try:
...@@ -1793,7 +1809,9 @@ def call_pip_wheel(spec, dest, options): ...@@ -1793,7 +1809,9 @@ def call_pip_wheel(spec, dest, options):
raise raise
return make_egg_after_pip_wheel(dest, wheel) return make_egg_after_pip_wheel(dest, wheel)
finally:
for f in cleanup:
f()
def make_egg_after_pip_wheel(dest, wheel): def make_egg_after_pip_wheel(dest, wheel):
unpack_wheel(os.path.join(dest, wheel), dest) unpack_wheel(os.path.join(dest, wheel), dest)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment