Setuptools "unsafe" as install dependency

I’m working near the limits of my knowledge of Python packaging so please be patient.

If I build a project based on “fs”, and have “fs” in my “prod.in” file, pip-tools will complain when I try to generate requirements.txt.

# The following packages are considered to be unsafe in a requirements file:

I can also reproduce this by running pip-compile in the setuptools root directory itself.

The exact reason that this is considered unsafe is slightly unclear, but there is also a CVE that mentions setuptools. That causes my company’s scanning tools to also complain about setuptools due to the complaint called sonatype-2014-0148. Which is more or less this issue:

https://github.com/pypa/setuptools/issues/227

Which was never resolved to Sonatype’s satisfaction.

Typically, Setuptools is not an install-time requirement of Python packages. Is there a reason it must be an insall-time requirement for ‘fs’?

Issue Analytics

State:
Created a year ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

lurchcommented, Apr 20, 2022

This is just a guess, but perhaps it’s related to this ? 🤷

0reactions

althonoscommented, Apr 24, 2022

Basically, the reason it appears twice is because we need it on both stages:

when building the wheel, you need setuptools >=38 because it’s the minimum version that supports reading metadata from setup.cfg files.
when using the library, because the extensions (fs.sshfs, etc.) are loaded as entry points. This part could be replaced by a more up-to-date solution like importlib.metadata I guess.

I’m feeling like this shouldn’t be a security issue because we specify a minimum version, not a mandatory one. Sure, the minimum one has a CVE, but you should use the latest setuptools available for the Python version you’re using I suppose.