Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installation not aborted when Requires-Python does not match the running version #5967

Closed
zzh1996 opened this issue Oct 29, 2018 · 9 comments
Closed

Installation not aborted when Requires-Python does not match the running version #5967

zzh1996 opened this issue Oct 29, 2018 · 9 comments
Labels
auto-locked Outdated issues that have been locked by automation resolution: invalid Invalid issue/PR type: support User Support

Comments

@zzh1996
Copy link

zzh1996 commented Oct 29, 2018
edited
Loading

Environment

  • pip version: 18.1
  • Python version: 2.7
  • OS: ubuntu 18.04 (docker)

Description
After merging #3846, package installation should be aborted if Requires-Python do not match the running Python version. But this feature is not working.

Expected behavior
Package installation should stop before setup.py is run.

How to Reproduce
On a fresh installed ubuntu 18.04 (Here I use docker run -it ubuntu:18.04 bash)
Run the following commands

apt update && apt install python-pip
python -m pip install -U pip
python -m pip install https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz

Why do this?

Yes, python -m pip install angr works without any error. This is because data-requires-python attribute is provided on the official PyPI website according to PEP503. Python 2.7 will ignore the versions that doesn't satisfy the requirement and finally install angr-7.8.9.26 (the correct version for Python 2.7).

Unfortunately, according to PEP503,

A repository MAY include a data-requires-python attribute on a file link.

There are many mirrors of PyPI which do not support data-requires-python attribute, such as https://mirrors.ustc.edu.cn/pypi/web/. When you install PyPI packages from these mirrors, you will download package versions which are in conflict with the running Python version (eg. the URL I provided above). Some packages will detect it when installing and stop immediately, but others will succeed in installing and just throw something like SyntaxError: invalid syntax only when you import it. pip should ensure that a package should not start installing if Requires-Python do not match the running Python version.

Output

root@267436d93d0c:/# python -V
Python 2.7.15rc1

root@267436d93d0c:/# python -m pip -V
pip 18.1 from /usr/local/lib/python2.7/dist-packages/pip (python 2.7)

root@267436d93d0c:/# python -m pip install https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz
Collecting https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz
  Using cached https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-req-build-4N0yQX/setup.py", line 27, in <module>
        """)
    Exception:
    
    =-=-=-=-=-=-=-=-=-=-=-=-=  WELCOME TO THE FUTURE!  =-=-=-=-=-=-=-=-=-=-=-=-=-=
    
    angr has transitioned to python 3. Due to the small size of the team behind it,
    we can't reasonably maintain compatibility between both python 2 and python 3.
    If you want to continue using the most recent version of angr (you definitely
    want that, trust us) you should upgrade to python 3. It's like getting your
    vaccinations. It hurts a little bit initially but in the end it's worth it.
    
    If you are staying on python 2 and would like to make sure you don't get
    incompatible versions, make sure your pip is at least version 9.0, and it will
    use our metadata to implicitly avoid them.
    
    For more information, see here: https://docs.angr.io/MIGRATION.html
    
    Good luck!
    
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-req-build-4N0yQX/

root@267436d93d0c:/# wget https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz && tar xf angr-8.18.10.25.tar.gz && cat angr-8.18.10.25/PKG-INFO 
Metadata-Version: 1.2
Name: angr
Version: 8.18.10.25
Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Home-page: https://github.com/angr/angr
License: UNKNOWN
Description: UNKNOWN
Platform: UNKNOWN
Requires-Python: >=3.5
@benoit-pierre
Copy link
Member

Note that pip needs to "prepare" a source distribution to read its metadata (e.g. run setup.py egg_info), meaning it cannot check requires-python before that.

@benoit-pierre
Copy link
Member

To elaborate: PKG-INFO and/or existing egg-info metadata is not used, because it might not be present (pip support installing from VCS snapshots, not just proper source distributions).

@RonnyPfannschmidt
Copy link
Contributor

main question is should pip consider it if available (as pretty much all setuptools based sdists supply it in a reasonable fashion)

@zhsj zhsj mentioned this issue Oct 30, 2018
Closed
@pradyunsg pradyunsg added the S: needs triage Issues/PRs that need to be triaged label Dec 14, 2018
@chrahunt chrahunt added state: needs discussion This needs some more discussion type: enhancement Improvements to functionality labels Jul 22, 2019
@triage-new-issues triage-new-issues bot removed S: needs triage Issues/PRs that need to be triaged labels Jul 22, 2019
@pradyunsg
Copy link
Member

pradyunsg commented Feb 4, 2020
edited
Loading

python -m pip install https://files.pythonhosted.org/packages/6a/f5/d8f543ce16d9748a2cff663f23b5c1a6d7b844cb341e3343e4bbe5a9c620/angr-8.18.10.25.tar.gz

This isn't installing from a PEP 503 repository -- this is an install from a source tarball URL. As noted above, pip has no way to know the metadata of that distribution, without running setup.py egg_info.

Attempting pip install angr==8.18.0.25 --no-binary angr correctly deems this version as not-compatible, as indicated by the data-requires-python=">=3.5" on the relevant anchor tag for this distribution.

<a href="https://files.pythonhosted.org/packages/6f/9a/e7dc9923c63c993c6a6e7ceae6f3f82d93e68fc8e0f2cc2fb442c1e68006/angr-8.18.10.5.tar.gz#sha256=5a614728f4e5d2c74101c43a7a78ce0ad4a125b2e722d209ec1774fb9448235c" data-requires-python=">=3.5">angr-8.18.10.5.tar.gz</a>

@pradyunsg pradyunsg added resolution: invalid Invalid issue/PR S: awaiting response Waiting for a response/more information type: support User Support and removed state: needs discussion This needs some more discussion type: enhancement Improvements to functionality labels Feb 4, 2020
@no-response
Copy link

no-response bot commented Feb 19, 2020

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

@no-response no-response bot closed this as completed Feb 19, 2020
@uranusjr
Copy link
Member

Is it the intention to close this? I do feel pip should abort the installation by default instead of breaking the environment silently.

@webknjaz
Copy link
Member

@uranusjr it does abort the installation. In fact, it explodes during the build from sdists. The problem is that it needs to build sdist in order to figure out python-requires if there's no wheel.

@uranusjr
Copy link
Member

Got it, thanks for the clarification.

@pfmoore
Copy link
Member

pfmoore commented Feb 19, 2020

So there are a number of points here:

  1. data-requires-python works fine, if available. The OP was using a direct URL, which doesn't have access to that data.
  2. Requires-Python works if available, although current pip will typically install and then report the problem. The new resolver will skip the candidate, giving an experience more like data-requires-python.
  3. Pip doesn't use metadata from a sdist file. This is an issue under active discussion - see here. If we could trust (this part of) sdist metadata, then using it is an option, although it would be an enhancement.
  4. For projects whose sdist can't even build under the current Python version, we have no way of getting metadata. The best we could possibly do would be to improve the error message.

Keeping this issue open (particularly as the OP hasn't responded) doesn't seem to add much value here.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Mar 21, 2020
@lock lock bot locked as resolved and limited conversation to collaborators Mar 21, 2020
@pradyunsg pradyunsg removed the S: awaiting response Waiting for a response/more information label Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation resolution: invalid Invalid issue/PR type: support User Support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@RonnyPfannschmidt @webknjaz @uranusjr @pfmoore @chrahunt @pradyunsg @benoit-pierre @zzh1996