Package: python-pip-whl
Version: 18.1-5
Severity: important
Dear Maintainers,
TLDR: Current version of python-pip-whl breaks python-virtualenv if a custom
index-url is used inside ~/.pip/pip.conf.
Debian version of virtualenv uses PIP_FIND_LINKS environment variable to
inject files from /usr/share/python-wheels into pip's dependency resolution.
Since python-virtualenv will try to install pkg_resources==0.0.0 as a
separate package (which does not exist on any Python index, given that
it's a part of setuptools), it will instruct pip to do something akin to
"pip install pkg_resources". Pip will ask the index about pkg_resources,
which will return a 404. Then, pip will move to resolving the dependency
using PIP_FIND_LINKS.
That is, only if the original PyPI index is used. If you use a custom
index via ~/.pip/pip.conf file, Pip will fail with the following
message:
Could not install packages due to an EnvironmentError: 404
Client Error: Not Found for url: <custom-index-url>
... and exit with RC=1 without going through PIP_FIND_LINKS directory.
This means, that if one has a custom index set in his ~/.pip/pip.conf,
virtualenv will fail with the following log:
New python executable in /env/bin/python2
Also creating executable in /env/bin/python
Installing setuptools, pkg_resources, pip, wheel...
Complete output from command /env/bin/python2 - setuptools
pkg_resources pip wheel:
Looking in indexes: <REDACTED>
Looking in links: /usr/lib/python3/dist-packages,
/usr/share/python-wheels/
Collecting setuptools
Downloading <REDACTED>
Collecting pkg_resources
Could not install packages due to an EnvironmentError: 404 Client
Error: Not Found for url: <REDACTED>
----------------------------------------
...Installing setuptools, pkg_resources, pip, wheel...done.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2379, in
<module>
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 724, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 996, in
create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 926, in
install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 817, in
call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /env/bin/python2 - setuptools pkg_resources pip wheel
failed with error code 1
Running virtualenv with interpreter /usr/bin/python2
None of this happens when using the upstream 18.1 version of pip, which
leads me to believe this bug is specific to python-pip-whl/python-pip.
During analysis, I created a simple Dockerfile for reproducing this
issue, but it requires setting up a custom index. Currently the behavior
has been observed when using Artifactory. We have at least one index
hosted internally via HTTP that does not lead to the aforementioned
buggy behavior, so the problem seems specific to HTTPS requests.
(_Replace <INDEX_URL> with a custom index_)
FROM debian:buster
RUN apt update
RUN apt install -y python2 virtualenv
RUN mkdir ~/.pip/
RUN echo "[global]" >> ~/.pip/pip.conf
RUN echo "index-url = <INDEX_URL>" >> ~/.pip/pip.conf
CMD virtualenv env
Best Regards
Blazej Michalik
-- System Information:
Debian Release: 10.9
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.11.0-27-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages python-pip-whl depends on:
ii ca-certificates 20200601~deb10u2
python-pip-whl recommends no packages.
python-pip-whl suggests no packages.
-- no debconf information
