Michael Gmelin wrote:
This is a tricky situation because not every consumer can use the latest setuptools, not least due to various breaking functional changes. Even after we finish the latest effort of the setuptools effort (massive is an understatement), there will probably still be a need to keep older versions around.Hi,This probably affects a large number of python ports which won't build due to the vulnerability in the build dependency.
As for this specific vulnerability, it is not exploitable to how we (ports) build Python packages, since the affected mechanism is setuptools's own PyPI fetching mechanism which we do not use (we have our own do-fetch via fetch(1) et al). Further, the source file this was found in is an already deprecated module package_index, about whose only consumer is another deprecated entry point easy_install. We don't use those in ports either. And even in the case of a Python virtual environment, the system Python packages are not used by default, and pip will download the latest setuptools if needed.
In all, this vuxml entry was not added or reviewed by the python@ team, especially not for applicability to actual use cases.
-- Charlie Li ...nope, still don't have an exit line.
OpenPGP_signature.asc
Description: OpenPGP digital signature
