Stop using distro setuptools and easy_install

distro setuptools is old and should never be touched if you're going to install things from pip. easy_install is insecure and open to MITM attacks. Downloading get-pip.py over https and running it will install modern pip and setuptools on the system and is the preferred method for installing pip in all cases. Change-Id: I1bf88f018806142ca639f3c183598b318636e61d
2015-10-04 13:06:31 -04:00 · 2015-10-04 13:06:31 -04:00 · c4636fe436
parent c505c409d2
commit c4636fe436
2 changed files with 22 additions and 19 deletions
--- a/scripts/env-setup.sh
+++ b/scripts/env-setup.sh
@ -15,23 +15,12 @@ if [ -x '/usr/bin/apt-get' ]; then
    if ! $(git --version &>/dev/null) ; then
        sudo -H apt-get -y install git
    fi
-    # To install python packages, we need pip.
-    #
-    # We can't use the apt packaged version of pip since
-    # older versions of pip are incompatible with
-    # requests, one of our indirect dependencies (bug 1459947).
-    #
-    # So we use easy_install to install pip.
-    #
-    # But we may not have easy_install; if that's the case,
-    # our bootstrap's bootstrap is to use apt to install
-    # python-setuptools to get easy_install.
-    if ! $(easy_install --version &>/dev/null) ; then
-        sudo -H apt-get -y install python-setuptools
-    fi
    if ! $(dpkg -l libpython-dev &>/dev/null); then
        sudo -H apt-get -y install libpython-dev
    fi
+    if ! $(dpkg -l wget &>/dev/null); then
+        sudo -H apt-get -y install wget
+    fi
 elif [ -x '/usr/bin/yum' ]; then
    if ! yum -q list installed python-devel; then
        sudo -H yum -y install python-devel
@ -42,13 +31,20 @@ elif [ -x '/usr/bin/yum' ]; then
    if ! $(git --version &>/dev/null); then
        sudo -H yum -y install git
    fi
+    if ! $(wget --version &>/dev/null); then
+        sudo -H yum -y install wget
+    fi
 else
    echo "ERROR: Supported package manager not found.  Supported: apt,yum"
 fi

-if ! $(pip -v &>/dev/null); then
-       sudo easy_install pip
-fi
+# To install python packages, we need pip.
+#
+# We can't use the apt packaged version of pip since
+# older versions of pip are incompatible with
+# requests, one of our indirect dependencies (bug 1459947).
+wget -O /tmp/get-pip.py https://bootstrap.pypa.io/get-pip.py
+sudo python /tmp/get-pip.py

 sudo -E pip install -r "$(dirname $0)/../requirements.txt"

--- a/tools/vagrant_dev_env/vagrant.yml
+++ b/tools/vagrant_dev_env/vagrant.yml
@ -15,10 +15,17 @@
           cache_valid_time=86400
      when: ansible_distribution == 'Ubuntu'

-    - name: Install easy_install
-      apt: name=python-setuptools state=present
+    - name: Make sure distro setuptools is not there
+      apt: name=python-setuptools state=absent
      when: ansible_distribution == 'Ubuntu'

+    - name: Download get-pip
+      get_url: https://bootstrap.pypa.io/get-pip.py
+      dest: /tmp/get-pip.py
+
+    - name: Install pip
+      shell: python /tmp/get-pip.py
+
    - name: Install python-dev
      apt: name=python-dev state=present
      when: ansible_distribution == 'Ubuntu'