Skip to content

pip does not detect circular build dependency #4983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue Jan 21, 2018 · 5 comments · Fixed by #4987
Closed

pip does not detect circular build dependency #4983

ghost opened this issue Jan 21, 2018 · 5 comments · Fixed by #4987
Labels
type: bug A confirmed bug or unintended behavior
Milestone
10.0

Comments

@ghost
Copy link

ghost commented Jan 21, 2018

  • Pip version: 10.0.devel
  • Python version: any
  • Operating system: any

What I've run:

pip install pip-forkbomb-test

Curiously, the problem is most severe on solid-state-drives where there is minimal lag time, so the processes multiply quickly.
@pradyunsg pradyunsg added type: bug A confirmed bug or unintended behavior !release blocker Hold a release until this is resolved type: security Has potential security implications labels Jan 22, 2018
@pradyunsg pradyunsg added this to the 10.0 milestone Jan 22, 2018
@pradyunsg
Copy link
Member

Relavant part:

[build-system]
requires = ["pip-forkbomb-test"]

I'd call this a release blocker.

@pradyunsg pradyunsg mentioned this issue Jan 22, 2018
Merged
@alex
Copy link
Member

alex commented Jan 23, 2018

I don't think this should be a release blocker -- a package which wants to can already forkbomb you via setup.py, or by python code that you'll shortly import.

@pfmoore
Copy link
Member

pfmoore commented Jan 23, 2018

I think I agree. Is there a realistic reason to assume (given that setuptools and wheel are available as universal wheels, so pip will never try to build them from source even on systems where they are not already present) that this could come about by accident, as opposed to via explicitly constructed malicious code?

@ghost
Copy link
Author

ghost commented Jan 23, 2018

Note: gh-4987 resolves this issue. I don't have a position on whether this should be a release blocker (I was previously of a different opinion), but I don't see additional discussion on this issue as being helpful because it's already addressed in that PR.

@pradyunsg
Copy link
Member

Oh, right. We still have code execution. XD

I was imagining happier days.

I imagine it would be possible that someone ends up with a potential build cycle and there I think it deserves an error message instead of a fork bomb. =)

Not a blocker though.

@pradyunsg pradyunsg removed type: security Has potential security implications !release blocker Hold a release until this is resolved labels Jan 24, 2018
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
10.0
Development

Successfully merging a pull request may close this issue.

Only allow the finder to use wheels as build reqs pradyunsg/pip
3 participants
@alex @pfmoore @pradyunsg