[tor-commits] [bridgedb/develop] Check envvar before using easy_install to install setup.py requires.

isis at torproject.org isis at torproject.org
Wed Mar 25 09:49:42 UTC 2015


commit d035fe64d85b12e6dbc5ebb23093e876f83b6d0a
Author: Isis Lovecruft <isis at torproject.org>
Date:   Mon Mar 23 03:00:26 2015 +0000

    Check envvar before using easy_install to install setup.py requires.
    
    If there is an environment variable BRIDGEDB_INSTALL_DEPENDENCIES=0,
    then the setup.py script will not use easy_install to install
    dependencies.  The default when using `make install` is to avoid using
    easy_install; the default when calling `python setup.py install` is to
    use easy_install.
    
    Until now, on BridgeDB's production server, `echo > requirements.txt`
    was run to avoid allowing easy_install to search for dependencies.  This
    removes the need to do that.  We shouldn't be erasing the
    requirements.txt file anymore, because it is kept under revision control
    and versioneer (which uses `git describe --tags --dirty --always` to
    dynamically determine the BridgeDB package version at install time) will
    add '-dirty' to the end of the version number if we change anything in
    the repo.  Adding '-dirty' to the package version causes it to be
    invalid according to PEP440, causing other random failures such as the
    inability to discover scripts and packaged data which pkg_resources.
---
 Makefile |    4 ++--
 setup.py |   13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 8b6358b..c6c0442 100644
--- a/Makefile
+++ b/Makefile
@@ -22,11 +22,11 @@ pyflakes:
 
 install:
 	-python setup.py compile_catalog
-	python setup.py install --record installed-files.txt
+	BRIDGEDB_INSTALL_DEPENDENCIES=0	python setup.py install --record installed-files.txt
 
 force-install:
 	-python setup.py compile_catalog
-	python setup.py install --force --record installed-files.txt
+	BRIDGEDB_INSTALL_DEPENDENCIES=0	python setup.py install --force --record installed-files.txt
 
 uninstall:
 	touch installed-files.txt
diff --git a/setup.py b/setup.py
index 5e5de39..9402071 100644
--- a/setup.py
+++ b/setup.py
@@ -264,8 +264,19 @@ class runTests(setuptools.Command):
             sys.path = old_path
 
 
+# If there is an environment variable BRIDGEDB_INSTALL_DEPENDENCIES=0, it will
+# disable checking for, fetching, and installing BridgeDB's dependencies with
+# easy_install.
+#
+# Setting BRIDGEDB_INSTALL_DEPENDENCIES=0 is *highly* recommended, because
+# easy_install is a security nightmare.  Automatically installing dependencies
+# is enabled by default, however, because this is how all Python packages are
+# supposed to work.
+if bool(int(os.environ.get("BRIDGEDB_INSTALL_DEPENDENCIES", 1))):
+    requires, deplinks = get_requirements()
+else:
+    requires, deplinks = [], []
 
-requires, deplinks = get_requirements()
 
 setuptools.setup(
     name='bridgedb',





More information about the tor-commits mailing list