Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop bundled wheels for 3.7 #2758

Closed
smoser opened this issue Sep 5, 2024 · 4 comments
Closed

Drop bundled wheels for 3.7 #2758

smoser opened this issue Sep 5, 2024 · 4 comments
Labels
enhancement

Comments

@smoser
Copy link

smoser commented Sep 5, 2024

What's the problem this feature will solve?

virtualenv has embedded wheels specifically to support python 3.7. python 3.7 went EOL over a year ago (i2023-06-27).

The embedded wheels

  1. take up space - almost 3MB total for pip-24.0-py3-none-any.whl, setuptools-68.0.0-py3-none-any.whl and wheel-0.42.0-py3-none-any.whl.
  2. contain known CVE - setuptools 68.0.0 CVE-2024-6345. That unnecessarily trips security scanners. Example here.

Describe the solution you'd like

Drop the embedded wheels.

Alternative Solutions

Maybe make it installable as a optional dependency? That would clearly take action by users of python 3.7, but they have been unsupported by upstream for over a year.
smoser added a commit to smoser/virtualenv that referenced this issue Sep 5, 2024
@smoser
Drop support for Python 3.7
0380735 
Fixes pypa#2758
smoser added a commit to smoser/virtualenv that referenced this issue Sep 5, 2024
@smoser
Drop support for Python 3.7
db3f7fc 
Fixes pypa#2758
@smoser smoser mentioned this issue Sep 5, 2024
Closed
5 tasks
smoser added a commit to smoser/wolfi-os that referenced this issue Sep 5, 2024
@smoser
py3-virtualenv - remove obsolete embedded wheels.
20c882f 
This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
smoser added a commit to smoser/wolfi-os that referenced this issue Sep 5, 2024
@smoser
Remove embedded setuptools wheel for python3.7 (CVE-2024-6345)
d43087f 
These wheels are from python 3.7.

This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
smoser added a commit to smoser/wolfi-os that referenced this issue Sep 5, 2024
@smoser
Remove embedded wheels supporting python3.7 (CVE-2024-6345)
f0564c4 
These wheels are from python 3.7.

This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
smoser added a commit to smoser/wolfi-os that referenced this issue Sep 5, 2024
@smoser
py3-virtualenv - Remove embedded wheels supporting python3.7
ea2a742 
These wheels are from python 3.7.

This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
@smoser smoser mentioned this issue Sep 5, 2024
Merged
smoser added a commit to smoser/wolfi-os that referenced this issue Sep 5, 2024
@smoser
py3-virtualenv - Remove embedded wheels supporting python3.7
28b0596 
These wheels are from python 3.7.

This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
smoser added a commit to wolfi-dev/os that referenced this issue Sep 5, 2024
@smoser
py3-virtualenv - Remove embedded wheels supporting python3.7 (#27626)
a93a3bf 
These wheels are from python 3.7.

This will stop scanner from reporting CVE-2024-634
and save 3MB of space.

See also pypa/virtualenv#2758
@gaborbernat
Copy link
Contributor

Our policy is to support it for 18 months past python eol.

@montrellharrington-shadow
Copy link

I'm facing an issue related to the vulnerability in setuptools versions < 70.0.0, as outlined in this advisory. I've already updated the package in my pyproject.toml to setuptools = "^74.0.0", and the change is reflected in the poetry.lock file.

However, JFrog Xray still identifies the vulnerability in my application with the path /opt/poetry-venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl.

From what I can see in the virtualenv source code, it appears that virtualenv is using version 3.7, defined by the MAX constant. My application is running on Python 3.12.6, and I’m wondering if there's a specific configuration I need to include in my Dockerfile to ensure it uses the latest setuptools .whl.

Any guidance would be greatly appreciated!

@gaborbernat
Copy link
Contributor

If you are not using Python 3.7, you can ignore the warning. If you are using it, well, you are not secure anyways.

@bluss
Copy link

bluss commented Oct 18, 2024

Fixed by #2783

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop support for Python 3.7 smoser/virtualenv
4 participants
@smoser @gaborbernat @bluss @montrellharrington-shadow