Skip to content

Commit

Permalink
Merge pull request #4835 from pradyunsg/vendoring/enable-c-libs
Browse files Browse the repository at this point in the history
Enable vendor C libraries on non-Windows platforms
  • Loading branch information
dstufft authored Mar 30, 2018
2 parents 46ce1bf + bd31672 commit 0007825
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 38 deletions.
1 change: 1 addition & 0 deletions news/4098.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Limit the disabling of requests' pyopenssl to Windows only. Fixes "SNIMissingWarning / InsecurePlatformWarning not fixable with pip 9.0 / 9.0.1" (for non-Windows)
7 changes: 5 additions & 2 deletions src/pip/_internal/download.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@
from pip._vendor.six.moves.urllib import parse as urllib_parse
from pip._vendor.six.moves.urllib import request as urllib_request
from pip._vendor.six.moves.urllib.parse import unquote as urllib_unquote
from pip._vendor.urllib3.util import IS_PYOPENSSL

import pip
from pip._internal.compat import WINDOWS
from pip._internal.exceptions import HashMismatch, InstallationError
from pip._internal.locations import write_delete_marker_file
from pip._internal.models import PyPI
Expand All @@ -48,9 +50,10 @@

try:
import ssl # noqa
HAS_TLS = True
except ImportError:
HAS_TLS = False
ssl = None

HAS_TLS = (ssl is not None) or IS_PYOPENSSL

__all__ = ['get_file_content',
'is_url', 'url_to_path', 'path_to_url',
Expand Down
37 changes: 19 additions & 18 deletions src/pip/_vendor/README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -43,30 +43,30 @@ way (via ``install_requires``) for pip. These issues are:

* **Making other libraries uninstallable.** One of pip's current dependencies is
the ``requests`` library, for which pip requires a fairly recent version to run.
If pip dependended on ``requests`` in the traditional manner, then we'd either
have to maintain compatibility with every ``requests`` version that has ever
If pip dependended on ``requests`` in the traditional manner, then we'd either
have to maintain compatibility with every ``requests`` version that has ever
existed (and ever will), OR allow pip to render certain versions of ``requests``
uninstallable. (The second issue, although technically true for any Python
application, is magnified by pip's ubiquity; pip is installed by default in
uninstallable. (The second issue, although technically true for any Python
application, is magnified by pip's ubiquity; pip is installed by default in
Python, in ``pyvenv``, and in ``virtualenv``.)

* **Security.** This might seem puzzling at first glance, since vendoring
* **Security.** This might seem puzzling at first glance, since vendoring
has a tendency to complicate updating dependencies for security updates,
and that holds true for pip. However, given the *other* reasons for avoiding
dependencies, the alternative is for pip to reinvent the wheel itself.
This is what pip did historically. It forced pip to re-implement its own
HTTPS verification routines as a workaround for the Python standard library's
lack of SSL validation, which resulted in similar bugs in the validation routine
and that holds true for pip. However, given the *other* reasons for avoiding
dependencies, the alternative is for pip to reinvent the wheel itself.
This is what pip did historically. It forced pip to re-implement its own
HTTPS verification routines as a workaround for the Python standard library's
lack of SSL validation, which resulted in similar bugs in the validation routine
in ``requests`` and ``urllib3``, except that they had to be discovered and
fixed independently. Even though we're vendoring, reusing libraries keeps pip
fixed independently. Even though we're vendoring, reusing libraries keeps pip
more secure by relying on the great work of our dependencies, *and* allowing for
faster, easier security fixes by simply pulling in newer versions of dependencies.

* **Bootstrapping.** Currently most popular methods of installing pip rely
on pip's self-contained nature to install pip itself. These tools work by bundling
a copy of pip, adding it to ``sys.path``, and then executing that copy of pip.
This is done instead of implementing a "mini installer" (to reduce duplication);
pip already knows how to install a Python package, and is far more battle-tested
on pip's self-contained nature to install pip itself. These tools work by bundling
a copy of pip, adding it to ``sys.path``, and then executing that copy of pip.
This is done instead of implementing a "mini installer" (to reduce duplication);
pip already knows how to install a Python package, and is far more battle-tested
than any "mini installer" could ever possibly be.

Many downstream redistributors have policies against this kind of bundling, and
Expand All @@ -92,12 +92,13 @@ such as OS packages.
Modifications
-------------

* ``html5lib`` has been modified to ``import six from pip._vendor``
* ``setuptools`` is completely stripped to only keep ``pkg_resources``
* ``pkg_resources`` has been modified to import its dependencies from ``pip._vendor``
* ``CacheControl`` has been modified to import its dependencies from ``pip._vendor``
* ``packaging`` has been modified to import its dependencies from ``pip._vendor``
* ``requests`` has been modified *not* to optionally load any C dependencies
* ``html5lib`` has been modified to ``import six from pip._vendor``
* ``CacheControl`` has been modified to import its dependencies from ``pip._vendor``
* ``requests`` has been modified to import its other dependencies from ``pip._vendor``
and to *not* load ``simplejson`` (all platforms) and ``pyopenssl`` (Windows).


Automatic Vendoring
Expand Down
14 changes: 7 additions & 7 deletions src/pip/_vendor/requests/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,13 +80,13 @@ def check_compatibility(urllib3_version, chardet_version):
RequestsDependencyWarning)

# Attempt to enable urllib3's SNI support, if possible
# Note: Patched by pip to prevent using the PyOpenSSL module. On Windows this
# prevents upgrading cryptography.
# try:
# from pip._vendor.urllib3.contrib import pyopenssl
# pyopenssl.inject_into_urllib3()
# except ImportError:
# pass
from pip._internal.compat import WINDOWS
if not WINDOWS:
try:
from pip._vendor.urllib3.contrib import pyopenssl
pyopenssl.inject_into_urllib3()
except ImportError:
pass

# urllib3's DependencyWarnings should be silenced.
from pip._vendor.urllib3.exceptions import DependencyWarning
Expand Down
20 changes: 9 additions & 11 deletions tasks/vendoring/patches/requests.patch
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ index 6336a07d..9582fa73 100644
# Kinda cool, though, right?

diff --git a/src/pip/_vendor/requests/__init__.py b/src/pip/_vendor/requests/__init__.py
index 9c3b769..44f6836 100644
index 9c3b769..36a4ef40 100644
--- a/src/pip/_vendor/requests/__init__.py
+++ b/src/pip/_vendor/requests/__init__.py
@@ -80,11 +80,13 @@
@@ -80,10 +80,12 @@ except (AssertionError, ValueError):
RequestsDependencyWarning)

# Attempt to enable urllib3's SNI support, if possible
Expand All @@ -33,17 +33,15 @@ index 9c3b769..44f6836 100644
- pyopenssl.inject_into_urllib3()
-except ImportError:
- pass
+# Note: Patched by pip to prevent using the PyOpenSSL module. On Windows this
+# prevents upgrading cryptography.
+# try:
+# from pip._vendor.urllib3.contrib import pyopenssl
+# pyopenssl.inject_into_urllib3()
+# except ImportError:
+# pass
+from pip._internal.compat import WINDOWS
+if not WINDOWS:
+ try:
+ from pip._vendor.urllib3.contrib import pyopenssl
+ pyopenssl.inject_into_urllib3()
+ except ImportError:
+ pass

# urllib3's DependencyWarnings should be silenced.
from pip._vendor.urllib3.exceptions import DependencyWarning

diff --git a/src/pip/_vendor/requests/compat.py b/src/pip/_vendor/requests/compat.py
index eb6530d..353ec29 100644
--- a/src/pip/_vendor/requests/compat.py
Expand Down

0 comments on commit 0007825

Please sign in to comment.