setup.py install doesn't work for packages with setup_requires on older macOS #1320
Comments
|
Once pip with PEP 518 support is released, Also, am I right in thinking this issue only happens to very old Pythons, than 2.7.9+ supports the requisite TLS? In that case, another workaround is simply not to use old Pythons (if you need 2.7, get it from Homebrew, but really you should be using Python 3). And if you're really in a constrained environment where you're stuck on old Pythons, consider deploying your own devpi instance to provide compatibility. If it were straightforward to support TLS 1.2 in easy_install or to somehow rely on pip to install setup_requires, I'd be in support of either, but my suspicion is that either of those approaches are fraught with bootstrapping challenges, so it's not worth the effort in light of the alternatives above. |
|
It's happening on 2.7.10 which is system python on Sierra -- I believe it's a matter of openssl versions, not python versions. Switching to homebrew's python does fix it; I think they must ship their own openssl. (We are stuck on python 2 at present.) But anyway, totally fair, and thanks for the response. We'll keep an eye out for pip 10 in the meantime. |
|
@jaraco the suggestion in pypa/packaging-problems#134 (comment) is to fall back on SecureTransport as pip does. |
|
For explicit clarification: For any installs using the system-provided python on any macOS version earlier than 10.13.0, you will run into this issue not because of old python, but because those versions are linked against OpenSSL 0.9.8 and do not support TLS 1.1 or later. easy_install would indeed need to be patched to swap in SecureTransport usage in a similar fashion. |
pganssle
added
Needs Triage
|
Are we going to fix this, or should we just say that |
|
It turns out PIP 518/517 support isn't sufficient, due to usage of setup.py in other situations. I ran into this issue on the latest macOS 10.14.2 with Python 3.5.4 from python.org (the latest available binary) using tox which invokes |
|
In this comment, Donald suggests:
Looking at the pip codebase, here's where SecureTransport is injected, but unfortunately, it relies on urllib3, and setuptools uses stdlib for its SSL, so Setuptools would need to be updated to use urllib3 to adopt this technique.
Hmm... |
|
In 7fa18bf, I've drafted an attempt to use PyOpenSSL, but it fails with this traceback: |
|
I'm removing the 'critical' label, as I've made substantial progress to dropping reliance on Still, it would be nice if easy_install didn't just fail on these older SSL builds. Another option to supplementing the SSL support would be to defer to |
|
I am wondering if the problem I am describing at tox-dev/tox#809 (comment) is not the same, because the package that fails to install is This happens when I have my custom SSL proxy and while having correct cert store environment variables defined: Yep, all 3 needed as different tools/libraries expect different variables. |
ghost
mentioned this issue
Remove setup.py and setup.cfg These tools are becoming old and deprecated, and can introduce errors: - https://pip.pypa.io/en/latest/cli/pip_install/#controlling-setup-requires - https://setuptools.readthedocs.io/en/latest/userguide/dependency_management.html?highlight=dependencies#id3 - pypa/setuptools#1320 (comment) Python-poetry can replace that, making it easier to manage dependencies
Remove setup.py and setup.cfg These tools are becoming old and deprecated, and can introduce errors: - https://pip.pypa.io/en/latest/cli/pip_install/#controlling-setup-requires - https://setuptools.readthedocs.io/en/latest/userguide/dependency_management.html?highlight=dependencies#id3 - pypa/setuptools#1320 (comment) Python-poetry can replace that, making it easier to manage dependencies
setup_requires make pip failing when using own devpi repository because it does honor PIP_INDEX_URL Btw using setup_requires is now deprecated in setuptools itself pypa/setuptools#1320 (comment)
Remove setup.py and setup.cfg These tools are becoming old and deprecated, and can introduce errors: - https://pip.pypa.io/en/latest/cli/pip_install/#controlling-setup-requires - https://setuptools.readthedocs.io/en/latest/userguide/dependency_management.html?highlight=dependencies#id3 - pypa/setuptools#1320 (comment) Python-poetry can replace that, making it easier to manage dependencies
|
|
jaraco
added
obsolete
and removed
help wanted
Needs Discussion
SInce the TLS 1.0/1.1 turndown,
easy_installdoesn't work on older macOS, because the builtin libraries don't support SSL. For the most part, we just use latest pip instead, and things work fine. But when installing a package withsetup_requiresfrom source (e.g.pip install git+git://github.com/pycqa/flake8.git@master), we run into trouble even on latest pip/setuptools, because pip runssetup.py install, which in turn runseasy_install, which fails. Ifeasy_installis completely deprecated,setuptoolsshould call out topipinstead; oreasy_installdo what pip does to make TLS 1.2 work.See also pypa/packaging-problems#134.
The text was updated successfully, but these errors were encountered: