diff --git a/.kokoro/docker/Dockerfile b/.kokoro/docker/Dockerfile index ba9af12a93..28aeb113f0 100644 --- a/.kokoro/docker/Dockerfile +++ b/.kokoro/docker/Dockerfile @@ -65,6 +65,9 @@ RUN apt-get update \ uuid-dev \ wget \ zlib1g-dev \ + # Remove `python3-setuptools` since the installed version + # does not include a patch for CVE-2025-47273/CVE-2025-47273. + && apt-get remove -y python3-setuptools \ && apt-get clean autoclean \ && apt-get autoremove -y \ && rm -rf /var/lib/apt/lists/* \ @@ -116,7 +119,7 @@ RUN set -ex \ && export GNUPGHOME="$(mktemp -d)" \ && echo "disable-ipv6" >> "${GNUPGHOME}/dirmngr.conf" \ && /tmp/fetch_gpg_keys.sh \ - && for PYTHON_VERSION in 2.7.18 3.7.17 3.8.20 3.9.20 3.10.15 3.11.10 3.12.7 3.13.0; do \ + && for PYTHON_VERSION in 2.7.18 3.7.17 3.8.20 3.9.23 3.10.18 3.11.13 3.12.11 3.13.5; do \ wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ && gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \ @@ -144,7 +147,7 @@ RUN set -ex \ # Install pip on Python 3.10 only. # If the environment variable is called "PIP_VERSION", pip explodes with # "ValueError: invalid truth value ''" -ENV PYTHON_PIP_VERSION 21.3.1 +ENV PYTHON_PIP_VERSION 23.1.2 RUN wget --no-check-certificate -O /tmp/get-pip-3-7.py 'https://bootstrap.pypa.io/pip/3.7/get-pip.py' \ && wget --no-check-certificate -O /tmp/get-pip-3-8.py 'https://bootstrap.pypa.io/pip/3.8/get-pip.py' \ && wget --no-check-certificate -O /tmp/get-pip.py 'https://bootstrap.pypa.io/get-pip.py' \ @@ -164,7 +167,7 @@ RUN python3.11 /tmp/get-pip.py RUN python3.9 /tmp/get-pip.py RUN python3.8 /tmp/get-pip-3-8.py RUN python3.7 /tmp/get-pip-3-7.py -RUN rm /tmp/get-pip.py +RUN rm /tmp/get-pip.py /tmp/get-pip-3-8.py /tmp/get-pip-3-7.py # Test Pip RUN python3 -m pip @@ -176,17 +179,37 @@ RUN python3.11 -m pip RUN python3.12 -m pip RUN python3.13 -m pip -# Install "setuptools" for Python 3.12+ (see https://docs.python.org/3/whatsnew/3.12.html#distutils) -RUN python3.12 -m pip install --no-cache-dir setuptools -RUN python3.13 -m pip install --no-cache-dir setuptools +# Remove setuptools installations for Python 2.7, 3.7, 3.8 +# since there is no fix for CVE-2025-47273/CVE-2025-47273. +# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124 +RUN for PYTHON_VERSION in 2.7 3.7 3.8; do \ + /usr/local/bin/python${PYTHON_VERSION} -m pip \ + uninstall -y \ + setuptools \ + ; done + +# Install/upgrade setuptools installations for Python 3.9, 3.10 and 3.11 +# for CVE-2025-47273/CVE-2025-47273. +# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124 +# Also install "setuptools" for Python 3.12+ since it's not included automatically +# (see https://docs.python.org/3/whatsnew/3.12.html#distutils) +COPY requirements.txt /requirements.txt + +RUN for PYTHON_VERSION in 3.9 3.10 3.11 3.12 3.13; do \ + /usr/local/bin/python${PYTHON_VERSION} -m pip \ + install \ + --no-cache-dir \ + --require-hashes \ + -r /requirements.txt \ + ; done && rm /requirements.txt # Install "virtualenv", since the vast majority of users of this image will want it. RUN pip install --no-cache-dir virtualenv # Setup Cloud SDK -ENV CLOUD_SDK_VERSION 502.0.0 -# Use system python for cloud sdk. -ENV CLOUDSDK_PYTHON python3.10 +ENV CLOUD_SDK_VERSION 528.0.0 +# Use python 3.12 for cloud sdk. +ENV CLOUDSDK_PYTHON python3.12 RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-$CLOUD_SDK_VERSION-linux-x86_64.tar.gz RUN tar xzf google-cloud-sdk-$CLOUD_SDK_VERSION-linux-x86_64.tar.gz RUN /google-cloud-sdk/install.sh diff --git a/.kokoro/docker/requirements.in b/.kokoro/docker/requirements.in new file mode 100644 index 0000000000..7861640ec0 --- /dev/null +++ b/.kokoro/docker/requirements.in @@ -0,0 +1,3 @@ +# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124 +# for the reason that setuptools 79.0.1 is used for Python 3.9, 3.10 and 3.11 +setuptools==79.0.1 diff --git a/.kokoro/docker/requirements.txt b/.kokoro/docker/requirements.txt new file mode 100644 index 0000000000..cdf3f57a89 --- /dev/null +++ b/.kokoro/docker/requirements.txt @@ -0,0 +1,26 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# This file is autogenerated by pip-compile with Python 3.9 +# by the following command: +# +# pip-compile --allow-unsafe --generate-hashes requirements.in +# + +# The following packages are considered to be unsafe in a requirements file: +setuptools==79.0.1 \ + --hash=sha256:128ce7b8f33c3079fd1b067ecbb4051a66e8526e7b65f6cec075dfc650ddfa88 \ + --hash=sha256:e147c0549f27767ba362f9da434eab9c5dc0045d5304feb602a0af001089fc51 + # via -r requirements.in