Open Stack

On Mon, Nov 25, 2019 at 04:02:13PM +1100, Ian Wienand wrote:
> Hello,
> 
> Today I force-merged [5] to avoid widespread gate breakage.  Because
> the change is in zuul-jobs, we have a policy of annoucing
> deprecations.  I've written the following but not sent it to
> zuul-announce (per policy) yet, as I'm not 100% confident in the
> explanation.
> 
> I'd appreciate it if, once proof-read, someone could send it out
> (modified or otherwise).
> 
> Thanks,
> 
Greetings!

Rather then force merge, and potential break other zuul installs. What
about a new feature flag, that was still enabled but have openstack base
jobs disabled?  This would still allow older versions of setuptools to
work I would guess?

That said, ansible Zuul is not affected as we currently fork
configure-mirrors for our open puproses, I'll check now that we are also
not affected.

> -i
> 
> --
> 
> Hello,
> 
> The recent release of setuptools 42.0.0 has broken the method used by
> the configure-mirrors role to ensure easy_install (the older method of
> install packages, before pip became in widespread use [1]) would only
> access the PyPi mirror.
> 
> The prior mirror setup code would set the "allow_hosts" whitelist to
> the mirror host exclusively in pydistutils.cfg.  This would avoid
> easy_install "leaking" access outside the specified mirror.
> 
> Change [2] in setuptools means that pip is now used to fetch packages.
> Since it does not implement the constraints of the "allow_hosts"
> setting, specifying this option has become an error condition.  This
> is reported as:
> 
>  the `allow-hosts` option is not supported 'when using pip to install requirements
> 
> It has been pointed out [3] that this prior code would break any
> dependency_links [4] that might be specified for the package (as the
> external URLs will not match the whitelist).  Overall, there is no
> desire to work-around this behaviour as easy_install is considered
> deprecated for any current use.
> 
> In short, this means the only solution is to remove the now
> conflicting configuration from pydistutils.cfg.  Due to the urgency of
> this update, it has been merged with [5] before our usual 2-week
> deprecation notice.
> 
> The result of this is that older setuptools (perhaps in a virtualenv)
> with jobs still using easy_install may not correctly access the
> specified mirror.  Assuming jobs have access to PyPi they would still
> work, although without the benefits of a local mirror.  If such jobs
> are firewalled from usptream they may now fail.  We consider the
> chance of jobs using this legacy install method in this situation to
> be very low.
> 
> Please contact zuul-discuss [6] with any concerns.
> 
> We now return you to your regularly scheduled programming :)
> 
> [1] https://packaging.python.org/discussions/pip-vs-easy-install/
> [2] https://github.com/pypa/setuptools/commit/d6948c636f5e657ac56911b71b7a459d326d8389
> [3] https://github.com/pypa/setuptools/issues/1916
> [4] https://python-packaging.readthedocs.io/en/latest/dependencies.html
> [5] https://review.opendev.org/695821
> [6] http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss
> 
> 
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra