> On 6. Jun 2026, at 19:56, Charlie Li <[email protected]> wrote: > > Michael Gmelin wrote: >> Hi, >> This probably affects a large number of python ports which won't build >> due to the vulnerability in the build dependency. > This is a tricky situation because not every consumer can use the latest > setuptools, not least due to various breaking functional changes. Even after > we finish the latest effort of the setuptools effort (massive is an > understatement), there will probably still be a need to keep older versions > around. > > As for this specific vulnerability, it is not exploitable to how we (ports) > build Python packages, since the affected mechanism is setuptools's own PyPI > fetching mechanism which we do not use (we have our own do-fetch via fetch(1) > et al). Further, the source file this was found in is an already deprecated > module package_index, about whose only consumer is another deprecated entry > point easy_install. We don't use those in ports either. And even in the case > of a Python virtual environment, the system Python packages are not used by > default, and pip will download the latest setuptools if needed. > > In all, this vuxml entry was not added or reviewed by the python@ team, > especially not for applicability to actual use cases. >
Almost figured that by the tone of the commit message. Would it be reasonable to patch all the versions of setuptools we have in use (I didn’t look at the details of the vulnerability to understand how complex such a fix would be)? Cheers
