Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

setup.py: Generic upper bounds on dependency versions are a problem to users and to security #6756

Closed
hartwork opened this issue Jun 17, 2019 · 3 comments · Fixed by #6778
Closed

setup.py: Generic upper bounds on dependency versions are a problem to users and to security #6756

hartwork opened this issue Jun 17, 2019 · 3 comments · Fixed by #6778
Labels
area/packaging kind/cleanup

Comments

@hartwork
Copy link

hartwork commented Jun 17, 2019
edited

Dear docker-compose team,

setup.py has upper bound limits for all dependencies of docker-compose as of today, e.g. docopt >= 0.6.1, < 0.7 has an upper bound of < 0.7. While some bounds seem to follow semver logic (e.g. six >= 1.3.0, < 2), some don't and seem rather generic, e.g. texttable >= 0.9.0, < 0.10. In a context where you install nothing but docker-compose into a dedicated virtualenv, that approach might work well. Once there are neighbors involved, this approach becomes challenging.

During the livetime of docker-compose version X, dependencies can do new releases, even multiple of them. If docker-compose keeps dependencies in the past artificially, the system around it can only be as up to date as docker-compose. If the system around it is a Linux distribution, that means that users cannot install things like jsonschema 3.0.1 (see #6347), pyyaml 5.1 (see #6619), texttable 1.6.1 or requests 2.22.0 (in the past, see #6717) without uninstalling or patching docker-compose. That has consequences regarding flexibility as well as security (see #6619).

Because those upper limits are a problem, major Linux distributions need to patch them away:

In the interest of their users, distro packagers like me have two options:

  • a) A static patch that needs manual adjustment for every version bump — compare 1 with 2 in Debian
  • b) A mass-replacement a la sed 's/, < [0-9.]\+//' -i setup.py that is rather brittle

What I'd like to ask for is this:

Please drop all generic upper bounds and only re-add limits for dependencies that are known broken, a blacklist approach, not a whitelist one.

The remaining list of upper bounds should be way shorter and expose actual bockers rather than artificial ones. Linux distros could then install unpatched setup.py files and users would be more up to date and more secure with their python packages.

Thanks a lot in advance!

Best

Sebastian
@chris-crone
Copy link
Member

Hi @hartwork,

First, thank you for the work that you're doing! I know that open source maintainers are under appreciated.

The reason for the current mess state is that we have been bitten by dependency issues in the past. It's also part of the reason we build binaries with fixed dependency versions.

I've added a task to our internal backlog to take another look at our setup.py and reevaluate our use of upper bounds.

@ulyssessouza ulyssessouza mentioned this issue Jul 2, 2019
Merged
@zelahi zelahi mentioned this issue Jul 2, 2019
Closed
@hartwork
Copy link
Author

hartwork commented Jul 3, 2019
edited

The new mock <2 just introduced by #6778 makes things worse. I have commented about it during review, my comment has been ignored. I will still need to patch setup.py downstream so this issue is not resolved so please re-open. And restore support for mock 2.x and 3.x please. Thanks!

CC @ulyssessouza

@ulyssessouza
Copy link
Contributor

#6778 (comment)

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Oct 26, 2019
@jacmet @tpetazzoni
package/docker-compose: bump version to 1.24.1
1cab59a 
Fixes https://gitlab.com/buildroot.org/buildroot/-/jobs/332656041

The recent bump of a number of python packages broke docker-compose, as
docker-compose specifies both minimum and maximum versions for (most of) its
dependencies:

Dependencies of docker-compse 1.20.1 (! = unmet):
cached-property: < 2 (currently 1.51)
docopt: < 0.7 (currently 0.6.2)
! pyyaml: < 4.0, patched to < 4.3 (currently 5.1.2)
requests: < 2.19, patched to < 3 (currently 2.22.0)
! texttable: < 0.10 (currently 1.6.2)
websocket-client: < 1.0 (currently 0.56.0)
! docker: < 4.0 (currently 4.1.0)
dockerpty: < 0.5 (currently 0.4.1)
six: < 2 (currently 1.12.0)
jsonschema: < 3 (currently 2.5.1)
enum34: < 2 (currently 1.1.6)
backports.ssl-match-hostname: >= 3.5 (currently 3.7.0.1)
ipaddress: >= 1.0.16 (currently 1.0.23)

To fix this, bump docker-compose to the most recent release (1.24.1).  This
is unfortunately not enough, as our docker, pyyaml, requests and texttable
packages are too new, so add 3 patches from upstream to relax the version
checks of dependencies.  Notice that patch 0003 is from
docker/compose#6623 and has not been merged yet.

Discussions around the problem of these maximum versions of the dependencies
and the fact that all downstream users have to patch it is ongoing here:

docker/compose#6756

docker-compose 1.24.1 added a requirement for ssh support in python-docker in:
docker/compose@7b82b2e

So add a dependency for python-paramiko and update the toolchain dependency
for C++ (from python-paramiko -> python-cryptography) and adjust the
toolchain configuration of the runtime test to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/packaging kind/cleanup
Projects
None yet
Milestone
No milestone
3 participants
@ulyssessouza @hartwork @chris-crone