Bug 1179756

Summary:	python3-base: Inconsistent file versions for ensurepip / setuptools / pip
Product:	[openSUSE] openSUSE Distribution	Reporter:	Frank Kühndel <frank.kuehndel>
Component:	Other	Assignee:	Matej Cepl <mcepl>
Status:	RESOLVED DUPLICATE	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P2 - High	CC:	andreas.taschner, dmueller, ftake, glenbarney, mcepl
Version:	Leap 15.2	Flags:	glenbarney: needinfo? (mcepl)
Target Milestone:	---
Hardware:	x86-64
OS:	openSUSE Leap 15.2
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Frank Kühndel 2020-12-08 10:32:40 UTC

In package python3-base-3.6.12-lp152.4.9.1.x86_64.rpm:

The file /usr/lib64/python3.6/ensurepip/__init__.py contains these version numbers:

    _SETUPTOOLS_VERSION = "40.6.2"

    _PIP_VERSION = "18.1"

Yet, the directory /usr/lib64/python3.6/ensurepip/_bundled/ contains files with different version numbers:

    pip-20.2.3-py2.py3-none-any.whl
    setuptools-44.1.1-py2.py3-none-any.whl

How to reproduce:

$ python3.6 -m ensurepip --default-pip
Traceback (most recent call last):
  File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib64/python3.6/ensurepip/__main__.py", line 5, in <module>
    sys.exit(ensurepip._main())
  File "/usr/lib64/python3.6/ensurepip/__init__.py", line 204, in _main
    default_pip=args.default_pip,
  File "/usr/lib64/python3.6/ensurepip/__init__.py", line 99, in _bootstrap
    "_bundled/{}".format(wheel_name),
  File "/usr/lib64/python3.6/pkgutil.py", line 634, in get_data
    return loader.get_data(resource_name)
  File "<frozen importlib._bootstrap_external>", line 832, in get_data
FileNotFoundError: [Errno 2] No such file or directory: '/usr/lib64/python3.6/ensurepip/_bundled/setuptools-40.6.2-py2.py3-none-any.whl'

(In my case, the above is needed to use a Python Virtual Environment. The above simplified command results from a call `python3 -m venv env`.)

The following is a workaround which reduces the error to a warning. It works in my case but it may not work for you because it finds other working versions of pip and setuptools on my machine:

root # cd /usr/lib64/python3.6/ensurepip/_bundled
root # ln -s pip-20.2.3-py2.py3-none-any.whl pip-18.1-py2.py3-none-any.whl
root # ln -s setuptools-44.1.1-py2.py3-none-any.whl setuptools-40.6.2-py2.py3-none-any.whl

Comment 1 Glen Barney 2020-12-11 21:52:40 UTC

Just wanted to confirm that this bug is real, and is impacting us as well.  This is on OpenSuSE 15.2 as of 12/11/2020 with all patches/updates installed.

> rpm -q python3 python3-base
python3-3.6.12-lp152.4.9.1.x86_64
python3-base-3.6.12-lp152.4.9.1.x86_64

The workaround provided works for me, and does not even generate a warning.

z3152:~ # cd /usr/lib64/python3.6/ensurepip/_bundled

z3152:/usr/lib64/python3.6/ensurepip/_bundled # l
total 1900
drwxr-xr-x 2 root root    4096 Dec  6 20:19 ./
drwxr-xr-x 4 root root    4096 Dec  6 20:19 ../
-rw-r--r-- 1 root root 1350933 Dec  2 15:17 pip-20.2.3-py2.py3-none-any.whl
-rw-r--r-- 1 root root  583190 Dec  2 15:17 setuptools-44.1.1-py2.py3-none-any.whl

z3152:/usr/lib64/python3.6/ensurepip/_bundled # ln -s pip-20.2.3-py2.py3-none-any.whl pip-18.1-py2.py3-none-any.whl

z3152:/usr/lib64/python3.6/ensurepip/_bundled # ln -s setuptools-44.1.1-py2.py3-none-any.whl setuptools-40.6.2-py2.py3-none-any.whl

z3152:/usr/lib64/python3.6/ensurepip/_bundled # l
total 1900
drwxr-xr-x 2 root root    4096 Dec 11 13:46 ./
drwxr-xr-x 4 root root    4096 Dec  6 20:19 ../
lrwxrwxrwx 1 root root      31 Dec 11 13:46 pip-18.1-py2.py3-none-any.whl -> pip-20.2.3-py2.py3-none-any.whl
-rw-r--r-- 1 root root 1350933 Dec  2 15:17 pip-20.2.3-py2.py3-none-any.whl
lrwxrwxrwx 1 root root      38 Dec 11 13:46 setuptools-40.6.2-py2.py3-none-any.whl -> setuptools-44.1.1-py2.py3-none-any.whl
-rw-r--r-- 1 root root  583190 Dec  2 15:17 setuptools-44.1.1-py2.py3-none-any.whl

After applying the two symlinks, 
> python3 -m venv venv
runs on my clean install without any errors or warnings.

Comment 2 Glen Barney 2020-12-15 01:33:07 UTC

All -

This problem just started to manifest itself on our openSUSE 15.1 servers as well, where it had not been observed before.  A recent patch in zypper upgraded those servers to 3.6.12, and introduced the same problem with venv creation previously reported on 15.2.

The problem is *not* present on Tumbleweed (checking 20201209) which has python3 version 3.8.6 on it... but has now regressed backwards into 15.1 as mentioned.

Comment 3 Matej Cepl 2020-12-17 17:36:49 UTC

This bug is a duplicate of bug 1180140.

*** This bug has been marked as a duplicate of bug 1180140 ***

Comment 4 Glen Barney 2020-12-17 17:57:05 UTC

I am getting a "You are not authorized to access bug #1180140. " message when I try to link to that bug.  Can someone please open that bug up and make it visible and accessible?  This bug is preventing our development work and is critical to us.  Thank you.

Comment 5 OBSbugzilla Bot 2020-12-17 18:14:06 UTC

This is an autogenerated message for OBS integration:
This bug (1179756) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 7 Swamp Workflow Management 2021-02-19 17:16:04 UTC

SUSE-SU-2021:0529-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1176262,1179756,1180686,1181126
CVE References: CVE-2019-20916,CVE-2021-3177
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    python3-core-3.6.12-3.75.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python3-3.6.12-3.75.1, python3-core-3.6.12-3.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2021-02-23 02:14:27 UTC

openSUSE-SU-2021:0331-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1176262,1179756,1180686,1181126
CVE References: CVE-2019-20916,CVE-2021-3177
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python3-3.6.12-lp152.4.17.1, python3-core-3.6.12-lp152.4.17.1, python3-documentation-3.6.12-lp152.4.17.1

Comment 12 Swamp Workflow Management 2021-03-19 21:17:37 UTC

SUSE-SU-2021:0887-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1179756,1182379
CVE References: CVE-2021-23336
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.13-4.36.1, python36-core-3.6.13-4.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 OBSbugzilla Bot 2021-10-06 14:44:26 UTC

This is an autogenerated message for OBS integration:
This bug (1179756) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 14 OBSbugzilla Bot 2021-10-22 08:44:30 UTC

This is an autogenerated message for OBS integration:
This bug (1179756) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36