-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[24.1] pip install py_find_1st
fails with 24.1, whereas 24.0 does not
#12781
Comments
We did update our tar unpacking logic to rely more on the stdlib implementation to benefit from tarfile data filters (#12214). I don't have access to a development environment so I won't be able to debug this until later today, but for now, you can downgrade pip to 24.0. |
FYI I can reproduce with And the exception in question hasn't recently changed: https://github.com/python/cpython/blame/v3.12.4/Lib/tarfile.py#L2725 And Python can extract the tar file:
So it's probably related to the filtering feature. |
FWIW, |
I did a little investigation but didn't have time to post my results. The issue seems to be related to this tar file has a hard link that points from README.md to README. I wasn't able to find another example of a real Python package that had the same problem. It was very likely caused by #12214 if @encukou you want to take a look. |
I had the same issue until I ran it using powershell as admin. worked first time. |
getting the same on osx |
We use pandocfilters==1.4.1 and that exhibits the problem if you need a real world example of this breaking in the wild! |
The pandocfilters 1.4.1 sdist seems to be broken: Note that the target of The same is true of I don't think there's a pip issue here (even though things are reported as working in 24.0, I'd argue that's a bug in 24.0 rather than a regression). Edit: Although on further reflection, this may depend on how a relative target for a hard link in a tar file is meant to be interpreted - as relative to the root of the tarfile, or as relative to the link. I don't know the answer to that, or even if there is a standard answer. |
Ah. @henryiii pointed out here that we have a filter with pip-specific behaviour. I suspect the issue is that our filter is checking for symlinks pointing out of the tarfile, but it's using the same logic for hard links, and not taking into account the fact that symlinks are relative to the link itself, whereas hardlinks are relative to the tarfile root (as I noted above). That sounds like a bit of a mess to sort out. @encukou as the author of that change, can you take a look? |
pip install
fails with 24.1, whereas 24.0 does not
pip install
fails with 24.1, whereas 24.0 does notpip install py_find_1st
fails with 24.1, whereas 24.0 does not
I'll look into it. |
Seeing this on an older package |
I have the same issue while installing Freqtrade on Linux Mint
|
I've also encountered the same issue when trying to install the py-find-1st package. The error message I receive is:
The temporary workaround by downgrading pip to version 24.0, also resolved the issue for me. |
This should be fixed by #12799. |
untar_file: remove common leading directory before unpacking
untar_file: remove common leading directory before unpacking
…mak/test/generated-code (#4566) Bumps [pip](https://github.com/pypa/pip) from 24.1.1 to 24.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.1.2 (2024-07-07)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix finding hardlink targets in tar files with an ignored top-level directory. (<code>[#12781](pypa/pip#12781) <https://github.com/pypa/pip/issues/12781></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/pypa/pip/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.1&new-version=24.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1.1 to 24.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.1.2 (2024-07-07)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix finding hardlink targets in tar files with an ignored top-level directory. (<code>[#12781](pypa/pip#12781) <https://github.com/pypa/pip/issues/12781></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/pypa/pip/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.1&new-version=24.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pip](https://github.com/pypa/pip) from 24.1.1 to 24.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.1.2 (2024-07-07)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix finding hardlink targets in tar files with an ignored top-level directory. (<code>[#12781](pypa/pip#12781) <https://github.com/pypa/pip/issues/12781></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/pypa/pip/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.1&new-version=24.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1.1 to 24.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.1.2 (2024-07-07)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix finding hardlink targets in tar files with an ignored top-level directory. (<code>[#12781](pypa/pip#12781) <https://github.com/pypa/pip/issues/12781></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/pypa/pip/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.1&new-version=24.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1 to 24.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.1.2 (2024-07-07)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix finding hardlink targets in tar files with an ignored top-level directory. (<code>[#12781](pypa/pip#12781) <https://github.com/pypa/pip/issues/12781></code>_)</li> </ul> <h1>24.1.1 (2024-06-26)</h1> <h2>Bug Fixes</h2> <ul> <li>Actually use system trust stores when the truststore feature is enabled.</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade requests to 2.32.3</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/76e82a43f8fb04695e834810df64f2d9a2ff6020"><code>76e82a4</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/a56129c58be6608e000d1510341a8e9372b9b4ff"><code>a56129c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12787">#12787</a> from mgorny/no-isol-tests</li> <li><a href="https://github.com/pypa/pip/commit/41772d8e7c5a6b80a3da3355928d63ffa6ff27cf"><code>41772d8</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12799">#12799</a> from encukou/gh-12781-tar-hardlink</li> <li><a href="https://github.com/pypa/pip/commit/a432c7f4170b9ef798a15f035f5dfdb4cc939f35"><code>a432c7f</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/a1ae982bff01c3e625c56081b0a54e0688264cf4"><code>a1ae982</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/300ed75aa50e438c5bf84692964bd9ade81c4916"><code>300ed75</code></a> Upgrade requests to 2.32.3 (<a href="https://redirect.github.com/pypa/pip/issues/12784">#12784</a>)</li> <li><a href="https://github.com/pypa/pip/commit/5c389ec91fa178ec3897f5b9522441f4d3922662"><code>5c389ec</code></a> Split up Windows tests relying on urlunparse behaviour (<a href="https://redirect.github.com/pypa/pip/issues/12788">#12788</a>)</li> <li><a href="https://github.com/pypa/pip/commit/00c75c45b36c4b03ff052eb98a1d945910bce29f"><code>00c75c4</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12773">#12773</a> from matthewhughes934/fix-tests-unable-to-cleanup</li> <li><a href="https://github.com/pypa/pip/commit/67e2a5698706751161d8af3dad1dbb8e62bc8cbb"><code>67e2a56</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12783">#12783</a> from pfmoore/rel_doc2</li> <li><a href="https://github.com/pypa/pip/commit/a58c20a39dca0fe587545c899c852dcf3d218bfa"><code>a58c20a</code></a> Minor release is the quarter number</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1...24.1.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1&new-version=24.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
24.1.2 (2024-07-07) =================== Bug Fixes --------- - Fix finding hardlink targets in tar files with an ignored top-level directory. (`#12781 <https://github.com/pypa/pip/issues/12781>`_)
Description
When installing a package -
py_find_1st
- the install is failing with pip 24.1 - but works with 24.0.The error happens with
it's unclear to me why this would work in 24.0 - but fail in 24.1.
The package uses a link from readme.md to readme - but i don't think that's disallowed?
~ tar tzvpf py_find_1st-1.1.6.tar.gz drwxr-xr-x roebel/staff 0 2023-10-28 18:01 py_find_1st-1.1.6/ -rw-r--r-- roebel/staff 7156 2023-10-28 17:15 py_find_1st-1.1.6/LONG_DESCR -rw-r--r-- roebel/staff 8020 2023-10-28 18:01 py_find_1st-1.1.6/PKG-INFO -rw-r--r-- roebel/staff 6896 2023-10-28 17:15 py_find_1st-1.1.6/README hrw-r--r-- roebel/staff 0 2023-10-28 17:15 py_find_1st-1.1.6/README.md link to py_find_1st-1.1.6/README -rw-r--r-- roebel/staff 159 2021-02-02 13:17 py_find_1st-1.1.6/pyproject.toml -rw-r--r-- roebel/staff 34 2023-10-28 17:54 py_find_1st-1.1.6/requirements.txt -rw-r--r-- roebel/staff 40 2019-06-28 23:32 py_find_1st-1.1.6/setup.cfg -rw-r--r-- roebel/staff 6570 2023-10-28 17:54 py_find_1st-1.1.6/setup.py drwxr-xr-x roebel/staff 0 2023-10-28 18:01 py_find_1st-1.1.6/test/ -rwxr-xr-x roebel/staff 1856 2023-10-28 17:10 py_find_1st-1.1.6/test/test_find_1st.py drwxr-xr-x roebel/staff 0 2023-10-28 18:01 py_find_1st-1.1.6/utils_find_1st/ -rw-r--r-- roebel/staff 305 2023-10-28 18:01 py_find_1st-1.1.6/utils_find_1st/__init__.py -rw-r--r-- roebel/staff 5475 2019-08-04 17:17 py_find_1st-1.1.6/utils_find_1st/find_1st.cpp
The changelog doesn't indicate something that would break like this ... unless i've missed that point ?
Expected behavior
Works on 24.0 and 24.1
pip version
24.1
Python version
3.12
OS
ubuntu
How to Reproduce
apt install build-essential pip install pip==24.1 pip install py_find_1st # Notice it failing pip install pip==24.0 pip install py_find_1st
Output
Code of Conduct
The text was updated successfully, but these errors were encountered: