A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
Upstream-patch:
88807c7062
(From OE-Core rev: 468c5a4e12b9d38768b00151c55fd27b2b504f3b)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch
refreshed for 69.0.3
Changelog:
Retain valid names with underscores in egg_info.
(From OE-Core rev: 47507793764cef763e31bd888754cb8ba7361376)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
Features
----------
-Rework how setuptools internally handles dependencies/install_requires and
optional-dependencies/extras_require. (#3903)
-Improve the generated PKG-INFO files, by adding Requires-Dist fields.
-Improve atomicity when writing PKG-INFO files to avoid race conditions with
importlib.metadata. (#3904)
Bugfixes
----------
-Fix the name given to the *-nspkg.pth files in editable installs, ensuring
they are unique per distribution. (#4041)
-Workaround some limitations on pkg_resources-style legacy namespaces in the
meta path finder for editable installations. (#4041)
-Avoid using caching attributes in Distribution.metadata for requirements.
(From OE-Core rev: 214dcfd3bf088b6b166835ab2727c1d0e0edfc03)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-conditionally-do-not-fetch-code-by-easy_install.patch
refreshed for new version.
Changelog:
-Fix editable install finder handling of nested packages, by only handling 1
level of nesting and relying on importlib.machinery to find the remaining
modules based on the parent package path.
(From OE-Core rev: 27d3e5bc7ea949c4e7691674617cf29c80b3035f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
AUH upgrade failed because the LICENSE checksum no longer matched. This
is because the attribution in the file was removed upstream in v67.8.0.
Patch fuzz also needed to be upgraded for
0001-conditionally-do-not-fetch-code-by-easy_install.patch.
Changelog: https://setuptools.pypa.io/en/stable/history.html
(From OE-Core rev: a248b94dff49b0331bd1e37e594f983fc50b3f0d)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
#3865: Fixed _WouldIgnoreField warnings for scripts and gui_scripts, when entry-points is not listed in dynamic.
#3875: Update code generated by validate-pyproject to use v0.12.2. This should fix default license patterns when pyproject.toml is used.
(From OE-Core rev: 8c8170871cc2ab770fb52bb5ab08a9d723975d68)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* it's not used by any other recipe AFAIK
* meta-python2 has own copy for python-setuptools there in:
meta-python2/recipes-devtools/python/python-setuptools/0001-conditionally-do-not-fetch-code-by-easy_install.patch
(From OE-Core rev: 3a5898861337eb4934360ef6ae448896ec061e26)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was held by numpy rejecting setuptools >= 60.x,
however it got a workaround in recent point releases
and so the upgrade can proceed.
Drop 0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch
as changed code completely removed upstream.
Replicate another distutils/sysconfig.py fix from python recipe via
0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch
Add a tomli build dependency to python3-setuptools-scm as new
setuptools exposes:
| File "/srv/work/alex/poky/build-64-alt/tmp/work/x86_64-linux/python3-setuptools-scm-native/6.4.2-r0/setuptools_scm-6.4.2/src/setuptools_scm/config.py", line 59, in _lazy_tomli_load
| from tomli import loads
| ModuleNotFoundError: No module named 'tomli'
(From OE-Core rev: 0907866325fbfb5774e1a3f0ba0cf110d9b9b663)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add patch to append STAGING_LIBDIR python-sysconfigdata to sys.path so
that packages which set SETUPTOOLS_USE_DISUTILS='local' cross-compile
properly with python3-setuptools-native.
Fixes:
ModuleNotFoundError: No module named '_sysconfigdata'
References:
https://setuptools.pypa.io/en/latest/deprecated/distutils-legacy.html#porting-from-distutils
(From OE-Core rev: f6fb99c53f779966fc902a629d0a8bbd9f84c6be)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
reproducibility.patch
deleted since it's been merged upstream.
v57.1.0
-------
Changes
^^^^^^^
* #2692: Globs are now sorted in 'license_files' restoring reproducibility by eliminating variance from disk order.
* #2714: Update to distutils at pypa/distutils@e2627b7.
* #2715: Removed reliance on deprecated ssl.match_hostname by removing the ssl support. Now any index operations rely on the native SSL implementation.
Documentation changes
^^^^^^^^^^^^^^^^^^^^^
* #2604: Revamped the backward/cross tool compatibility section to remove
some confusion.
Add some examples and the version since when ``entry_points`` are
supported in declarative configuration.
Tried to make the reading flow a bit leaner, gather some informations
that were a bit dispersed.
(From OE-Core rev: 9720cce06206895e2e85b171d58a289172bb9092)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a patch to fix a reproducibility issue in the new version.
(From OE-Core rev: ea6fffe4f07cfd105f861ad0d2dc7c7605bf9e64)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Apologies, but the patch is not possible to rebase onto the new setuptools,
as the code has changed too much. Please get it accepted upstream first.
(From OE-Core rev: f2feb53c967256431f03a07c1b4b9a0d8568d9b5)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
setuptools' pkg_resources module has major performance issues with how
it loads entry points (e.g. the console_script entry point, which sets
up a module as a command-line executable), leading even the simplest
"hello world" scripts to take on the order of 150ms to run if
pkg_resources is incorporated. This is prohibitive for code that needs
to run quickly, and so we patch setuptools to reduce this time. As of
Python 3.7, importlib.resources is available and intended to replace
much of the functionality that causes this sluggishness, but since
many projects still utilize the legacy setuptools modules, a patch is
still required. Note that python3-fastentrypoints (which is available
in the meta-virtualization layer) is also intended to help alleviate
the problem, but since it must be added to existing projects it has
the same disadvantage as resorting to importlib.resources, requiring
manual additions to existing code to see the performance gains.
The intent here is to patch easy_install to load module entry points
directly with the installed setuptools, rather than importing
pkg_resources and having it search out the entry points itself. This
leads to a drastic performance improvement - the changes in this patch
have been shown to result in load time ~6-8x lower, depending on the
complexity of the code it is tested with. A simple "hello world"
example on core-image-full-cmdline gave these results with and without
the patch:
core-image-full-cmdline, without setuptools ScriptWriter patch:
root@qemux86-64:~# time /usr/bin/minimal
hello world
real 0m0.198s
user 0m0.174s
sys 0m0.023s
core-image-full-cmdline, with setuptools ScriptWriter patch:
root@qemux86-64:~# time /usr/bin/minimal
hello world
real 0m0.034s
user 0m0.024s
sys 0m0.010s
More details on the pkg_resources issue are available at:
https://github.com/pypa/setuptools/issues/510
(From OE-Core rev: 9ff7c2f4a43e28ac6a89045c38effe03063f2061)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
we have offcially dropped python2, so it is possible
that our code run on python3 only host, so change
shebang to python3 to avoid error like:
python: command not found
(From OE-Core rev: c49ea8d5640d984e28ad63919e0b9ee549a4e17f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
