Commit 711d8710 authored by Xavier Thompson's avatar Xavier Thompson

[feat] Prevent pip installing setup_requires

Use a special .pydistutils.cfg in a temporary HOME directory for
the duration of the pip wheel run to prevent build dependencies
specified in a setup_requires from being installed on the fly
without respecting pinned versions.
parent 085baf94
...@@ -18,6 +18,7 @@ It doesn't install scripts. It uses setuptools and requires it to be ...@@ -18,6 +18,7 @@ It doesn't install scripts. It uses setuptools and requires it to be
installed. installed.
""" """
import atexit
import copy import copy
import distutils.errors import distutils.errors
import distutils.sysconfig import distutils.sysconfig
...@@ -1731,6 +1732,13 @@ class IncompatibleConstraintError(zc.buildout.UserError): ...@@ -1731,6 +1732,13 @@ class IncompatibleConstraintError(zc.buildout.UserError):
IncompatibleVersionError = IncompatibleConstraintError # Backward compatibility IncompatibleVersionError = IncompatibleConstraintError # Backward compatibility
# Temporary HOME with .pydistutils.cfg to disable setup_requires
pip_pydistutils_home = tempfile.mkdtemp('pip-pydistutils-home')
with open(os.path.join(pip_pydistutils_home, '.pydistutils.cfg'), 'w') as f:
f.write("[easy_install]\n"
"index-url = file:///dev/null")
atexit.register(zc.buildout.rmtree.rmtree, pip_pydistutils_home)
def call_pip_wheel(spec, dest, options): def call_pip_wheel(spec, dest, options):
""" """
Call `pip wheel` from a subprocess to install a Call `pip wheel` from a subprocess to install a
...@@ -1744,8 +1752,10 @@ def call_pip_wheel(spec, dest, options): ...@@ -1744,8 +1752,10 @@ def call_pip_wheel(spec, dest, options):
else: else:
args.append('-v') args.append('-v')
# Try to prevent pip from installing build dependencies implicitly # Prevent pip from installing build dependencies on the fly
# and without respecting pinned versions, on the fly # without respecting pinned versions. This only works for
# PEP 517 specifications using pyproject.toml and not for
# dependencies in setup_requires option in legacy setup.py
if not options._allow_picked_versions: if not options._allow_picked_versions:
args.append('--no-index') args.append('--no-index')
args.append('--no-build-isolation') args.append('--no-build-isolation')
...@@ -1779,7 +1789,14 @@ def call_pip_wheel(spec, dest, options): ...@@ -1779,7 +1789,14 @@ def call_pip_wheel(spec, dest, options):
sys.stdout.flush() # We want any pending output first sys.stdout.flush() # We want any pending output first
subprocess.check_call(list(args), env=env) # Prevent setuptools from downloading and thus installing
# build dependencies specified in setup_requires option of
# legacy setup.py by providing a crafted .pydistutils.cfg.
# This is used in complement to --no-build-isolation.
if not options._allow_picked_versions:
env['HOME'] = pip_pydistutils_home
subprocess.check_call(args, env=env)
entries = os.listdir(dest) entries = os.listdir(dest)
try: try:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment