commit 3c892361282940c1724e60b9a6a4f826503a7a79
parent 587ca5dd42e832db277e0a3d754ad98e71cfbefa
Author: ghost43 <somber.night@protonmail.com>
Date: Tue, 15 Dec 2020 15:44:39 +0000
Merge pull request #6843 from SomberNight/202012_distutils_config
build: don't allow setuptools to sneakily install build-time deps
Diffstat:
6 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/contrib/build-linux/appimage/build.sh b/contrib/build-linux/appimage/build.sh
@@ -94,6 +94,8 @@ python='appdir_python'
info "installing pip."
"$python" -m ensurepip
+break_legacy_easy_install
+
info "preparing electrum-locale."
(
diff --git a/contrib/build-linux/sdist/build.sh b/contrib/build-linux/sdist/build.sh
@@ -12,6 +12,8 @@ DISTDIR="$PROJECT_ROOT/dist"
# note that at least py3.7 is needed, to have https://bugs.python.org/issue30693
python3 --version || fail "python interpreter not found"
+break_legacy_easy_install
+
# upgrade to modern pip so that it knows the flags we need.
# we will then install a pinned version of pip as part of requirements-build-sdist
python3 -m pip install --upgrade pip
diff --git a/contrib/build-wine/prepare-wine.sh b/contrib/build-wine/prepare-wine.sh
@@ -60,6 +60,8 @@ for msifile in core dev exe lib pip tools; do
wine msiexec /i "$PYTHON_DOWNLOADS/${msifile}.msi" /qb TARGETDIR=$PYHOME
done
+break_legacy_easy_install
+
info "Installing build dependencies."
$PYTHON -m pip install --no-dependencies --no-warn-script-location -r "$CONTRIB"/deterministic-build/requirements-build-wine.txt
diff --git a/contrib/build_tools_util.sh b/contrib/build_tools_util.sh
@@ -129,3 +129,25 @@ fi
export GCC_STRIP_BINARIES="${GCC_STRIP_BINARIES:-0}"
+
+function break_legacy_easy_install() {
+ # We don't want setuptools sneakily installing dependencies, invisible to pip.
+ # This ensures that if setuptools calls distutils which then calls easy_install,
+ # easy_install will not download packages over the network.
+ # see https://pip.pypa.io/en/stable/reference/pip_install/#controlling-setup-requires
+ # see https://github.com/pypa/setuptools/issues/1916#issuecomment-743350566
+ info "Intentionally breaking legacy easy_install."
+ DISTUTILS_CFG="${HOME}/.pydistutils.cfg"
+ DISTUTILS_CFG_BAK="${HOME}/.pydistutils.cfg.orig"
+ # If we are not inside docker, we might be overwriting a config file on the user's system...
+ if [ -e "$DISTUTILS_CFG" ] && [ ! -e "$DISTUTILS_CFG_BAK" ]; then
+ warn "Overwriting python distutils config file at '$DISTUTILS_CFG'. A copy will be saved at '$DISTUTILS_CFG_BAK'."
+ mv "$DISTUTILS_CFG" "$DISTUTILS_CFG_BAK"
+ fi
+ cat <<EOF > "$DISTUTILS_CFG"
+[easy_install]
+index_url = ''
+find_links = ''
+EOF
+}
+
diff --git a/contrib/osx/make_osx b/contrib/osx/make_osx
@@ -72,6 +72,8 @@ PYTHON_CONFIGURE_OPTS="--enable-framework" pyenv install -s $PYTHON_VERSION && \
pyenv global $PYTHON_VERSION || \
fail "Unable to use Python $PYTHON_VERSION"
+break_legacy_easy_install
+
# create a fresh virtualenv
# This helps to avoid older versions of pip-installed dependencies interfering with the build.
VENV_DIR="$CONTRIB_OSX/build-venv"
diff --git a/setup.cfg b/setup.cfg
@@ -0,0 +1,6 @@
+[easy_install]
+# We don't want setuptools sneakily installing dependencies, invisible to pip.
+# see https://pip.pypa.io/en/stable/reference/pip_install/#controlling-setup-requires
+# see https://github.com/pypa/setuptools/issues/1916#issuecomment-743350566
+index_url = ''
+find_links = ''
