From c4636fe436f1714d9d0913dc6bcd83dae7299f0d Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Sun, 4 Oct 2015 13:06:31 -0400
Subject: [PATCH] Stop using distro setuptools and easy_install

distro setuptools is old and should never be touched if you're going
to install things from pip. easy_install is insecure and open to
MITM attacks.

Downloading get-pip.py over https and running it will install modern
pip and setuptools on the system and is the preferred method for
installing pip in all cases.

Change-Id: I1bf88f018806142ca639f3c183598b318636e61d
---
 scripts/env-setup.sh              | 30 +++++++++++++-----------------
 tools/vagrant_dev_env/vagrant.yml | 11 +++++++++--
 2 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/scripts/env-setup.sh b/scripts/env-setup.sh
index 7ef9a9840..aeace4c36 100755
--- a/scripts/env-setup.sh
+++ b/scripts/env-setup.sh
@@ -15,23 +15,12 @@ if [ -x '/usr/bin/apt-get' ]; then
     if ! $(git --version &>/dev/null) ; then
         sudo -H apt-get -y install git
     fi
-    # To install python packages, we need pip.
-    #
-    # We can't use the apt packaged version of pip since
-    # older versions of pip are incompatible with
-    # requests, one of our indirect dependencies (bug 1459947).
-    #
-    # So we use easy_install to install pip.
-    #
-    # But we may not have easy_install; if that's the case,
-    # our bootstrap's bootstrap is to use apt to install
-    # python-setuptools to get easy_install.
-    if ! $(easy_install --version &>/dev/null) ; then
-        sudo -H apt-get -y install python-setuptools
-    fi
     if ! $(dpkg -l libpython-dev &>/dev/null); then
         sudo -H apt-get -y install libpython-dev
     fi
+    if ! $(dpkg -l wget &>/dev/null); then
+        sudo -H apt-get -y install wget
+    fi
 elif [ -x '/usr/bin/yum' ]; then
     if ! yum -q list installed python-devel; then
         sudo -H yum -y install python-devel
@@ -42,13 +31,20 @@ elif [ -x '/usr/bin/yum' ]; then
     if ! $(git --version &>/dev/null); then
         sudo -H yum -y install git
     fi
+    if ! $(wget --version &>/dev/null); then
+        sudo -H yum -y install wget
+    fi
 else
     echo "ERROR: Supported package manager not found.  Supported: apt,yum"
 fi
 
-if ! $(pip -v &>/dev/null); then
-       sudo easy_install pip
-fi
+# To install python packages, we need pip.
+#
+# We can't use the apt packaged version of pip since
+# older versions of pip are incompatible with
+# requests, one of our indirect dependencies (bug 1459947).
+wget -O /tmp/get-pip.py https://bootstrap.pypa.io/get-pip.py
+sudo python /tmp/get-pip.py
 
 sudo -E pip install -r "$(dirname $0)/../requirements.txt"
 
diff --git a/tools/vagrant_dev_env/vagrant.yml b/tools/vagrant_dev_env/vagrant.yml
index 503a9e425..0082c76d8 100644
--- a/tools/vagrant_dev_env/vagrant.yml
+++ b/tools/vagrant_dev_env/vagrant.yml
@@ -15,10 +15,17 @@
            cache_valid_time=86400
       when: ansible_distribution == 'Ubuntu'
 
-    - name: Install easy_install
-      apt: name=python-setuptools state=present
+    - name: Make sure distro setuptools is not there
+      apt: name=python-setuptools state=absent
       when: ansible_distribution == 'Ubuntu'
 
+    - name: Download get-pip
+      get_url: https://bootstrap.pypa.io/get-pip.py
+      dest: /tmp/get-pip.py
+
+    - name: Install pip
+      shell: python /tmp/get-pip.py
+
     - name: Install python-dev
       apt: name=python-dev state=present
       when: ansible_distribution == 'Ubuntu'