Skip to content

fix: upgrade setuptools to 79.0.1 in python-samples-testing-docker #13468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 32 additions & 9 deletions .kokoro/docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ RUN apt-get update \
uuid-dev \
wget \
zlib1g-dev \
# Remove `python3-setuptools` since the installed version
# does not include a patch for CVE-2025-47273/CVE-2025-47273.
&& apt-get remove -y python3-setuptools \
&& apt-get clean autoclean \
&& apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/* \
Expand Down Expand Up @@ -116,7 +119,7 @@ RUN set -ex \
&& export GNUPGHOME="$(mktemp -d)" \
&& echo "disable-ipv6" >> "${GNUPGHOME}/dirmngr.conf" \
&& /tmp/fetch_gpg_keys.sh \
&& for PYTHON_VERSION in 2.7.18 3.7.17 3.8.20 3.9.20 3.10.15 3.11.10 3.12.7 3.13.0; do \
&& for PYTHON_VERSION in 2.7.18 3.7.17 3.8.20 3.9.23 3.10.18 3.11.13 3.12.11 3.13.5; do \
wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
&& wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
&& gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \
Expand Down Expand Up @@ -144,7 +147,7 @@ RUN set -ex \
# Install pip on Python 3.10 only.
# If the environment variable is called "PIP_VERSION", pip explodes with
# "ValueError: invalid truth value '<VERSION>'"
ENV PYTHON_PIP_VERSION 21.3.1
ENV PYTHON_PIP_VERSION 23.1.2
RUN wget --no-check-certificate -O /tmp/get-pip-3-7.py 'https://bootstrap.pypa.io/pip/3.7/get-pip.py' \
&& wget --no-check-certificate -O /tmp/get-pip-3-8.py 'https://bootstrap.pypa.io/pip/3.8/get-pip.py' \
&& wget --no-check-certificate -O /tmp/get-pip.py 'https://bootstrap.pypa.io/get-pip.py' \
Expand All @@ -164,7 +167,7 @@ RUN python3.11 /tmp/get-pip.py
RUN python3.9 /tmp/get-pip.py
RUN python3.8 /tmp/get-pip-3-8.py
RUN python3.7 /tmp/get-pip-3-7.py
RUN rm /tmp/get-pip.py
RUN rm /tmp/get-pip.py /tmp/get-pip-3-8.py /tmp/get-pip-3-7.py

# Test Pip
RUN python3 -m pip
Expand All @@ -176,17 +179,37 @@ RUN python3.11 -m pip
RUN python3.12 -m pip
RUN python3.13 -m pip

# Install "setuptools" for Python 3.12+ (see https://docs.python.org/3/whatsnew/3.12.html#distutils)
RUN python3.12 -m pip install --no-cache-dir setuptools
RUN python3.13 -m pip install --no-cache-dir setuptools
# Remove setuptools installations for Python 2.7, 3.7, 3.8
# since there is no fix for CVE-2025-47273/CVE-2025-47273.
# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124
RUN for PYTHON_VERSION in 2.7 3.7 3.8; do \
/usr/local/bin/python${PYTHON_VERSION} -m pip \
uninstall -y \
setuptools \
; done

# Install/upgrade setuptools installations for Python 3.9, 3.10 and 3.11
# for CVE-2025-47273/CVE-2025-47273.
# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124
# Also install "setuptools" for Python 3.12+ since it's not included automatically
# (see https://docs.python.org/3/whatsnew/3.12.html#distutils)
COPY requirements.txt /requirements.txt

RUN for PYTHON_VERSION in 3.9 3.10 3.11 3.12 3.13; do \
/usr/local/bin/python${PYTHON_VERSION} -m pip \
install \
--no-cache-dir \
--require-hashes \
-r /requirements.txt \
; done && rm /requirements.txt

# Install "virtualenv", since the vast majority of users of this image will want it.
RUN pip install --no-cache-dir virtualenv

# Setup Cloud SDK
ENV CLOUD_SDK_VERSION 502.0.0
# Use system python for cloud sdk.
ENV CLOUDSDK_PYTHON python3.10
ENV CLOUD_SDK_VERSION 528.0.0
# Use python 3.12 for cloud sdk.
ENV CLOUDSDK_PYTHON python3.12
RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-$CLOUD_SDK_VERSION-linux-x86_64.tar.gz
RUN tar xzf google-cloud-sdk-$CLOUD_SDK_VERSION-linux-x86_64.tar.gz
RUN /google-cloud-sdk/install.sh
Expand Down
3 changes: 3 additions & 0 deletions .kokoro/docker/requirements.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# See https://github.com/python/cpython/issues/135374#issuecomment-2963361124
# for the reason that setuptools 79.0.1 is used for Python 3.9, 3.10 and 3.11
setuptools==79.0.1
26 changes: 26 additions & 0 deletions .kokoro/docker/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# This file is autogenerated by pip-compile with Python 3.9
# by the following command:
#
# pip-compile --allow-unsafe --generate-hashes requirements.in
#

# The following packages are considered to be unsafe in a requirements file:
setuptools==79.0.1 \
--hash=sha256:128ce7b8f33c3079fd1b067ecbb4051a66e8526e7b65f6cec075dfc650ddfa88 \
--hash=sha256:e147c0549f27767ba362f9da434eab9c5dc0045d5304feb602a0af001089fc51
# via -r requirements.in