-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setup.py: Generic upper bounds on dependency versions are a problem to users and to security #6756
Comments
Hi @hartwork, First, thank you for the work that you're doing! I know that open source maintainers are under appreciated. The reason for the current I've added a task to our internal backlog to take another look at our |
The new |
Fixes https://gitlab.com/buildroot.org/buildroot/-/jobs/332656041 The recent bump of a number of python packages broke docker-compose, as docker-compose specifies both minimum and maximum versions for (most of) its dependencies: Dependencies of docker-compse 1.20.1 (! = unmet): cached-property: < 2 (currently 1.51) docopt: < 0.7 (currently 0.6.2) ! pyyaml: < 4.0, patched to < 4.3 (currently 5.1.2) requests: < 2.19, patched to < 3 (currently 2.22.0) ! texttable: < 0.10 (currently 1.6.2) websocket-client: < 1.0 (currently 0.56.0) ! docker: < 4.0 (currently 4.1.0) dockerpty: < 0.5 (currently 0.4.1) six: < 2 (currently 1.12.0) jsonschema: < 3 (currently 2.5.1) enum34: < 2 (currently 1.1.6) backports.ssl-match-hostname: >= 3.5 (currently 3.7.0.1) ipaddress: >= 1.0.16 (currently 1.0.23) To fix this, bump docker-compose to the most recent release (1.24.1). This is unfortunately not enough, as our docker, pyyaml, requests and texttable packages are too new, so add 3 patches from upstream to relax the version checks of dependencies. Notice that patch 0003 is from docker/compose#6623 and has not been merged yet. Discussions around the problem of these maximum versions of the dependencies and the fact that all downstream users have to patch it is ongoing here: docker/compose#6756 docker-compose 1.24.1 added a requirement for ssh support in python-docker in: docker/compose@7b82b2e So add a dependency for python-paramiko and update the toolchain dependency for C++ (from python-paramiko -> python-cryptography) and adjust the toolchain configuration of the runtime test to match. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dear docker-compose team,
setup.py
has upper bound limits for all dependencies of docker-compose as of today, e.g.docopt >= 0.6.1, < 0.7
has an upper bound of< 0.7
. While some bounds seem to follow semver logic (e.g.six >= 1.3.0, < 2
), some don't and seem rather generic, e.g.texttable >= 0.9.0, < 0.10
. In a context where you install nothing but docker-compose into a dedicated virtualenv, that approach might work well. Once there are neighbors involved, this approach becomes challenging.During the livetime of docker-compose version X, dependencies can do new releases, even multiple of them. If docker-compose keeps dependencies in the past artificially, the system around it can only be as up to date as docker-compose. If the system around it is a Linux distribution, that means that users cannot install things like jsonschema 3.0.1 (see #6347), pyyaml 5.1 (see #6619), texttable 1.6.1 or requests 2.22.0 (in the past, see #6717) without uninstalling or patching docker-compose. That has consequences regarding flexibility as well as security (see #6619).
Because those upper limits are a problem, major Linux distributions need to patch them away:
In the interest of their users, distro packagers like me have two options:
sed 's/, < [0-9.]\+//' -i setup.py
that is rather brittleWhat I'd like to ask for is this:
Please drop all generic upper bounds and only re-add limits for dependencies that are known broken, a blacklist approach, not a whitelist one.
The remaining list of upper bounds should be way shorter and expose actual bockers rather than artificial ones. Linux distros could then install unpatched
setup.py
files and users would be more up to date and more secure with their python packages.Thanks a lot in advance!
Best
Sebastian
The text was updated successfully, but these errors were encountered: