Removal of wheels deleting more than the data files
I discovered a quite serious bug in wheels ( http://bugs.python.org/issue27317)
When specifying an empty list for the list of data_files in a given directory, the entire directory is being deleted on uninstall of the wheel, even if it contained other resources from other pacakges.
Example:
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', [])])
The expected behavior is that only the specified list of files is removed, (which is empty in that case).
When the list is not empty, the behavior is the one expected. For example,
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', ['foobar.json'])])
will only remove `foobar.json` on uninstall and the `plugins` directory will not be removed if it is not empty.
Thanks,
Sylvain
FYI, this could probably be a security issue with wheel: a wheel package that has an empty list of data files in any important subdirectory of sys.prefix can delete all the content of that directory upon uninstall or update.
Thanks,
Sylvain
On Wed, Jun 15, 2016 at 11:30 AM, Sylvain Corlay sylvain.corlay@gmail.com wrote:
I discovered a quite serious bug in wheels ( http://bugs.python.org/issue27317)
When specifying an empty list for the list of data_files in a given directory, the entire directory is being deleted on uninstall of the wheel, even if it contained other resources from other pacakges.
Example:
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', [])])
The expected behavior is that only the specified list of files is removed, (which is empty in that case).
When the list is not empty, the behavior is the one expected. For example,
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', ['foobar.json'])])
will only remove `foobar.json` on uninstall and the `plugins` directory will not be removed if it is not empty.
Thanks,
Sylvain
It looks like this is a pip and setuptools bug. I was only able to reproduce by running "pip install ." in the package directory, in which case 'remover-0.0.0-py2.7.egg-info/installed-files.txt' contains
../../share/plugins dependency_links.txt PKG-INFO SOURCES.txt top_level.txt
Installing in this way pip has invoked 'setup.py install' for us. Uninstall will remove share/plugins and its contents but not share.
However running 'setup.py bdist_wheel' and then installing said wheel leaves no record of '../share/plugins' in 'remover-0.0.0.dist-info/RECORD'.
On Mon, Jun 20, 2016 at 12:56 PM Sylvain Corlay sylvain.corlay@gmail.com wrote:
FYI, this could probably be a security issue with wheel: a wheel package that has an empty list of data files in any important subdirectory of sys.prefix can delete all the content of that directory upon uninstall or update.
Thanks,
Sylvain
On Wed, Jun 15, 2016 at 11:30 AM, Sylvain Corlay <sylvain.corlay@gmail.com
wrote:
I discovered a quite serious bug in wheels ( http://bugs.python.org/issue27317)
When specifying an empty list for the list of data_files in a given directory, the entire directory is being deleted on uninstall of the wheel, even if it contained other resources from other pacakges.
Example:
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', [])])
The expected behavior is that only the specified list of files is removed, (which is empty in that case).
When the list is not empty, the behavior is the one expected. For example,
from setuptools import setup
setup(name='remover', data_files=[('share/plugins', ['foobar.json'])])
will only remove `foobar.json` on uninstall and the `plugins` directory will not be removed if it is not empty.
Thanks,
Sylvain
Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
participants (2)
-
Daniel Holth -
Sylvain Corlay