#20218: Use pip to install Python dependencies
-------------------------------------+-------------------------------------
Reporter: embray | Owner: embray
Type: enhancement | Status: needs_review
Priority: minor | Milestone: sage-7.2
Component: build | Resolution:
Keywords: | Merged in:
Authors: Erik Bray | Reviewers:
Report Upstream: N/A | Work issues:
Branch: u/embray/pip- | Commit:
install | 7447ef236941c521fb730b0baa1a760d7d4aa15d
Dependencies: | Stopgaps:
-------------------------------------+-------------------------------------
Comment (by embray):
Nevermind--I traced this to a bug in pip, combined with a possible minor
defect in `sage-uncompress-spkg` (or Python's `tarfile` module depending
on your perspective), along with strange packaging for pyparsing, which is
the package where this came up originally.
1) It's true that pip creates a temp dir (under `/tmp`, typically) in
which to build a package. This directory is created with `mkdtemp` and
normally has safe permissions on it. However, when installing a package
from a source directory (a la `pip install .`), pip then deletes that temp
directory, and copies the source directory using `shutil.copytree` to the
same path as the just-deleted temp dir. There are a couple problems with
this:
a) Deleting and recreating the temp dir of the same name involves a
possible race condition.
b) More importantly, while `mkdtemp` will create a directory with safe
permissions, `shutil.copytree` copies the original permissions of the
source files, which may be arbitrary. Instead, pip should be copying the
''contents'' of the source directory ''into'' the directory created with
`mkdtemp`.
2) `sage-uncompress-spkg` just calls `TarFile.extractall()` which
preserves the original permissions of all files/directories in the tar
file, and doesn't provide a clear way to enable or disable this. This is
different from the GNU `tar` command which by default (for normal users)
applies the user's umask to all extracted files, which is generally safer
depending on the user's umask. It would probably be best if `sage-
uncompress-spkg` did this as well.
3) The top-level directory in pyparsing's source package has permissions
set to 777. Of all the upstream source tarballs I have pyparsing is the
''only'' one like this. All the rest have 775 or 755.
Result: pyparsing's source is extracted with permissions 777 and is then
copied into a directory in `/tmp` with unrestricted access, from which pip
installs it. My previous comments aside these are all bad and all three
should be addressed.
--
Ticket URL: <http://trac.sagemath.org/ticket/20218#comment:16>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/sage-trac.
For more options, visit https://groups.google.com/d/optout.
