Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensurepip bootstrap breaks out of isolated environment #90355

Closed
kcdodd mannequin opened this issue Dec 29, 2021 · 6 comments
Closed

ensurepip bootstrap breaks out of isolated environment #90355

kcdodd mannequin opened this issue Dec 29, 2021 · 6 comments
Labels
3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes type-bug An unexpected behavior, bug, or error

Comments

@kcdodd
Copy link
Mannequin

kcdodd mannequin commented Dec 29, 2021

BPO 46197
Nosy @gvanrossum, @ncoghlan, @merwok, @ericsnowcurrently, @dstufft, @pradyunsg, @cdce8p, @kcdodd
PRs
  • [3.10] bpo-46197: Add isolated flag if currently isolated #30307
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = None
created_at = <Date 2021-12-29.23:24:11.769>
labels = ['type-bug', '3.8', '3.9', '3.10', '3.11']
title = 'ensurepip bootstrap breaks out of isolated environment'
updated_at = <Date 2022-03-29.20:57:30.348>
user = 'https://github.com/kcdodd'

    bugs.python.org fields:

    activity = <Date 2022-03-29.20:57:30.348>
actor = 'gvanrossum'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2021-12-29.23:24:11.769>
creator = 'kcdodd'
dependencies = []
files = []
hgrepos = []
issue_num = 46197
keywords = ['patch']
message_count = 2.0
messages = ['409334', '412408']
nosy_count = 8.0
nosy_names = ['gvanrossum', 'ncoghlan', 'eric.araujo', 'eric.snow', 'dstufft', 'pradyunsg', 'cdce8p', 'kcdodd']
pr_nums = ['30307']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue46197'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']
    @kcdodd
    Copy link
    Mannequin Author

    kcdodd mannequin commented Dec 29, 2021

    A change in behavior was made to the ensurepip module in Python 3.8.7 that causes bootstrapping to break out of an isolated environment. This is relevant to the assumption made in the venv module, which ran ensurepip as a sub-process with the -I flag environment isolation to force installation in the virtual environment directory.

    In Python <= 3.8.6, ensurepip ran the bootstrap within the current interpreter, so the environment remained isolated. But in Python >= 3.8.7 it creates a second subprocess without the -I flag, and the un-isolated environment appears to be restored for pip. This would then allow a search of any additional paths, and prevent installation of pip and setuptools from being installed in the venv environment directory if they are found somewhere else.

    @kcdodd kcdodd mannequin added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes type-bug An unexpected behavior, bug, or error labels Dec 29, 2021
    @merwok
    Copy link
    Member

    merwok commented Feb 3, 2022

    Thanks for the report and PR.

    The workflow would be to merge a fix to the main branch for 3.11, then there’s a bot that makes backports for active branches (3.10 and 3.9).

    More info: https://devguide.python.org/

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @gvanrossum
    Copy link
    Member

    @kcdodd Pleas follow instructions here.

    @kcdodd
    Copy link
    Contributor

    kcdodd commented May 16, 2022
    edited

    @gvanrossum

    As stated in the issue, this should be rebased onto main and once accepted and merged there it can be backported. Probably a new PR is easiest.

    Should the pull request be to "main", or to "3.11"?

    Also, the "cpython-cla-bot" now marks that the CLA is not signed again. I have signed it and previously "the-knights-who-say-ni" had marked it as signed.

    @gvanrossum
    Copy link
    Member

    It should be main (that comment was written when 3.11==main, but now 3.11b1 was released and 3.12==main until next year). I'll look into the CLA bot.

    @arhadthedev arhadthedev mentioned this issue May 16, 2022
    Merged
    This was referenced Jul 5, 2022
    Merged
    Merged
    miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 5, 2022
    @kcdodd @miss-islington
    pythongh-90355: Add isolated flag if currently isolated (pythonGH-92857)
    395246d 
    Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
    ambv added a commit that referenced this issue Jul 5, 2022
    @kcdodd @merwok @ambv
    gh-90355: Add isolated flag if currently isolated (GH-92857)
    c8556bc 
    Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
    miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 5, 2022
    @kcdodd @miss-islington
    pythongh-90355: Add isolated flag if currently isolated (pythonGH-92857)
    d4d80bb 
    Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
    ambv pushed a commit to ambv/cpython that referenced this issue Jul 5, 2022
    @kcdodd @ambv
    [3.9] pythongh-90355: Add isolated flag if currently isolated (python…
    86abe53 
    …GH-92857)

Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
    This was referenced Jul 5, 2022
    Merged
    Merged
    ambv pushed a commit to ambv/cpython that referenced this issue Jul 5, 2022
    @kcdodd @ambv
    [3.8] pythongh-90355: Add isolated flag if currently isolated (python…
    d584df1 
    …GH-92857)

Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
    ambv pushed a commit that referenced this issue Jul 5, 2022
    @miss-islington
    gh-90355: Add isolated flag if currently isolated (GH-92857) (GH-94568)
    9bd97a2 
    Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)
    ambv pushed a commit that referenced this issue Jul 5, 2022
    @miss-islington
    gh-90355: Add isolated flag if currently isolated (GH-92857) (GH-94569)
    922075c 
    Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)
    ambv added a commit that referenced this issue Jul 5, 2022
    @ambv
    [3.9] gh-90355: Add isolated flag if currently isolated (GH-92857) (G…
    eff4aa5 
    …H-94570)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)
    ambv added a commit that referenced this issue Jul 5, 2022
    @ambv
    [3.8] gh-90355: Add isolated flag if currently isolated (GH-92857) (G…
    f78733b 
    …H-94571)

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bc)
    @ambv
    Copy link
    Contributor

    ambv commented Jul 5, 2022

    This is now fixed in 3.8 - 3.12. Thanks, Carter! ✨ 🍰 ✨

    @ambv ambv closed this as completed Jul 5, 2022
    ento added a commit to ento/nixpkgs that referenced this issue Sep 5, 2022
    @ento
    pip-tools: Ignore tests failing due to upstream issue
    3514584 
    A bug in ensurepip, coupled with how Nix sets up build
environments, was causing tests to fail:
python/cpython#90355

The bug has been fixed in Python 3.10.6 but hasn't been
shipped to 3.8/3.9 lines.
    @ento ento mentioned this issue Sep 5, 2022
    Closed
    13 tasks
    @Vynce Vynce mentioned this issue Apr 24, 2024
    Open
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @ambv @merwok @gvanrossum @kcdodd