On 2026-02-09 15:08:06 +0000 (+0000), Stephen Finucane wrote: [...]
I missed the fact that pip uses build isolation by default, which means it creates a custom venv with build dependencies installed before installing a package. Those build dependencies are not capped by default.
I have proposed a follow-up [1] to address this. However, I don't know if this will be sufficient since tools like tox also install packages and the devstack `pip_install` function obviously does not affect those. I don't currently have a good idea how to resolve these issues, since the only constraints mechanism we have for build-time dependencies is the `build-system.requires` setting in `pyproject.toml`. While we could pin setuptools for openstack projects on old stable branches (tedious though it would be), we are likely to run into chicken-and-egg cross-dependency problems that prevent us actually merging these fixes and, worse, we have no way to fix non-OpenStack dependencies. [...]
Yes, in the past we considered it impossible to effectively pin SetupTools everywhere for essentially that reason (or related ones, like tools vendoring newer versions of it themselves). The emergence of pyproject.toml has changed that calculus more recently, but obviously only for projects/branches/versions where it's used already. -- Jeremy Stanley