diff --git a/tools/pip_install.py b/tools/pip_install.py index 80ecc0e59..7c73a51bb 100755 --- a/tools/pip_install.py +++ b/tools/pip_install.py @@ -75,7 +75,7 @@ def call_with_print(command): subprocess.check_call(command, shell=True) -def pip_install_with_print(args_str, disable_build_isolation): +def pip_install_with_print(args_str, disable_build_isolation=True): command = ['"', sys.executable, '" -m pip install --disable-pip-version-check '] if disable_build_isolation: command.append('--no-build-isolation ') @@ -83,7 +83,7 @@ def pip_install_with_print(args_str, disable_build_isolation): call_with_print(''.join(command)) -def main(args, disable_build_isolation=True): +def main(args): tools_path = find_tools_path() working_dir = tempfile.mkdtemp() @@ -98,7 +98,7 @@ def main(args, disable_build_isolation=True): if os.environ.get('CERTBOT_NO_PIN') == '1': # With unpinned dependencies, there is no constraint - pip_install_with_print(' '.join(args), disable_build_isolation) + pip_install_with_print(' '.join(args)) else: # Otherwise, we merge requirements to build the constraints and pin dependencies requirements = None @@ -112,17 +112,15 @@ def main(args, disable_build_isolation=True): # First step, install the transitive dependencies of oldest requirements # in respect with oldest constraints. pip_install_with_print('--constraint "{0}" --requirement "{1}"' - .format(all_constraints, requirements), - disable_build_isolation) + .format(all_constraints, requirements)) # Second step, ensure that oldest requirements themselves are effectively # installed using --force-reinstall, and avoid corner cases like the one described # in https://github.com/certbot/certbot/issues/7014. pip_install_with_print('--force-reinstall --no-deps --requirement "{0}"' - .format(requirements), - disable_build_isolation) + .format(requirements)) pip_install_with_print('--constraint "{0}" {1}'.format( - all_constraints, ' '.join(args)), disable_build_isolation) + all_constraints, ' '.join(args))) finally: if os.environ.get('TRAVIS'): print('travis_fold:end:install_certbot_deps') diff --git a/tools/pipstrap.py b/tools/pipstrap.py index 2e6b89049..448706ae9 100755 --- a/tools/pipstrap.py +++ b/tools/pipstrap.py @@ -7,16 +7,40 @@ pinned the same way as our other packages. """ from __future__ import absolute_import +import os +import tempfile + import pip_install +# We include the hashes of the packages here for extra verification of +# the packages downloaded from PyPI. This is especially valuable in our +# builds of Certbot that we ship to our users such as our Docker images. +REQUIREMENTS = r""" +pip==20.2.4 \ + --hash=sha256:51f1c7514530bd5c145d8f13ed936ad6b8bfcb8cf74e10403d0890bc986f0033 \ + --hash=sha256:85c99a857ea0fb0aedf23833d9be5c40cf253fe24443f0829c7b472e23c364a1 +setuptools==44.1.1 \ + --hash=sha256:27a714c09253134e60a6fa68130f78c7037e5562c4f21f8f318f2ae900d152d5 \ + --hash=sha256:c67aa55db532a0dadc4d2e20ba9961cbd3ccc84d544e9029699822542b5a476b +wheel==0.35.1 \ + --hash=sha256:497add53525d16c173c2c1c733b8f655510e909ea78cc0e29d374243544b77a2 \ + --hash=sha256:99a22d87add3f634ff917310a3d87e499f19e663413a52eb9232c447aa646c9f +""" + + def main(): - pkgs = 'pip setuptools wheel'.split() - # We don't disable build isolation because we may have an older version of - # pip that doesn't support the flag disabling it. We expect these packages - # to already have usable wheels available anyway so no building should be - # required. - pip_install.main(pkgs, disable_build_isolation=False) + with tempfile.TemporaryDirectory() as tempdir: + requirements_filepath = os.path.join(tempdir, 'reqs.txt') + with open(requirements_filepath, 'w') as f: + f.write(REQUIREMENTS) + pip_install_args = '--requirement ' + requirements_filepath + # We don't disable build isolation because we may have an older + # version of pip that doesn't support the flag disabling it. We + # expect these packages to already have usable wheels available + # anyway so no building should be required. + pip_install.pip_install_with_print(pip_install_args, + disable_build_isolation=False) if __name__ == '__main__':