Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade workstation-bootstrap packages #501

Merged
merged 2 commits into from
Aug 14, 2024
Merged

Upgrade workstation-bootstrap packages #501

merged 2 commits into from
Aug 14, 2024

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Jul 22, 2024
edited by rocodes
Loading

Motivated by CVE-2024-6345 in setuptools. But just upgrading setuptools forces upgrades of pip, which in turn requires a newer packaging, which then needs a newer flit-core. But that is then incompatible with pep517, so upgrade build to drop that dependency.

Upgraded packages:

  • setuptools 54.0.0 -> 70.3.0
  • setuptools-scm 5.0.2 -> 8.1.0
  • pip 21.3.1 -> 24.1.2
  • packaging 20.9 -> 24.1
  • flit-core 2.3.0 -> 3.9.0
  • build 0.3.0 -> 1.2.1
    • colorama is skipped, it isn't hard dependency and only needed for Windows anyways
    • pep517 0.9.1 -> pyproject_hooks 1.1.0 (package was kind of renamed)

Dropped dependencies:

  • pyparsing
  • pytoml
  • toml

Fixes #500.

Diff reviews

Assuming all the diff reviews from freedomofpress/securedrop#7205 are completed, we additionally need to review:

legoktm added 2 commits July 22, 2024 13:24
@legoktm
Upgrade workstation-bootstrap packages
7234d47 
Motivated by CVE-2024-6345 in `setuptools`. But just upgrading
`setuptools` forces upgrades of `pip`, which in turn requires a newer
`packaging`, which then needs a newer `flit-core`. But that is then
incompatible with `pep517`, so upgrade `build` to drop that dependency.

Upgraded packages:
* setuptools 54.0.0 -> 70.3.0
* setuptools-scm 5.0.2 -> 8.1.0
* pip 21.3.1 -> 24.1.2
* packaging 20.9 -> 24.1
* flit-core 2.3.0 -> 3.9.0
* build 0.3.0 -> 1.2.1
  * colorama is skipped, it isn't hard dependency and only needed for
    Windows anyways
  * pep517 0.9.1 -> pyproject_hooks 1.1.0 (package was kind of renamed)

Dropped dependencies:
* pyparsing
* pytoml
* toml

Fixes #500.
@legoktm
Rebuild all wheels with upgraded bootstrap packages
be99501 
Needed because of minor metadata changes, e.g.
<#500 (comment)>.
legoktm added a commit to freedomofpress/securedrop-client that referenced this pull request Jul 22, 2024
@legoktm
Synchronize build-requirements.txt following setuptools bump
914e6ac 
Update wheel checksums to match <freedomofpress/securedrop-builder#501>.
@legoktm legoktm mentioned this pull request Jul 22, 2024
Merged
11 tasks
@rocodes
Copy link
Contributor

rocodes commented Jul 24, 2024

I will start tomorrow with the bottom of this list (pyproject_hooks) and work upwards, but may only get through 1 tomorrow depending on support load (and size of diff).

@legoktm
Copy link
Member Author

legoktm commented Aug 12, 2024

Discussion during last week's standup (or team meeting, I don't remember), was that reviewing pip (the last remaining review needed) is not worth it because of how large it is and how central it is to Python. @zenmonkeykstop was going to do some more historical research and put together a proposal. Now that we have most/all of the team back, I'll do a vibe check in standup if we're okay not reviewing pip and moving forward with this before the formal proposal.

@legoktm legoktm marked this pull request as ready for review August 12, 2024 22:33
@legoktm
Copy link
Member Author

legoktm commented Aug 12, 2024
edited
Loading

Consensus today is that we're OK not having a diff review for pip to land this, so this is now ready for review with a proper proposal to follow.

@cfm cfm self-assigned this Aug 14, 2024
cfm
cfm approved these changes Aug 14, 2024
View reviewed changes
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the detailed write-up, @legoktm. I've confirmed that make reprotest passes locally.

@cfm cfm added this pull request to the merge queue Aug 14, 2024
Merged via the queue into main with commit 696631a Aug 14, 2024
6 checks passed
@cfm cfm deleted the setuptools-bump branch August 14, 2024 18:44
@legoktm legoktm mentioned this pull request Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfm cfm cfm approved these changes

Assignees

@cfm cfm

Labels
None yet
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade setuptools for CVE-2024-6345
3 participants
@legoktm @rocodes @cfm