[Distutils] Removal of wheels deleting more than the data files
Daniel Holth
dholth at gmail.com
Mon Jun 20 13:47:21 EDT 2016
It looks like this is a pip and setuptools bug. I was only able to
reproduce by running "pip install ." in the package directory, in which
case 'remover-0.0.0-py2.7.egg-info/installed-files.txt' contains
../../share/plugins
dependency_links.txt
PKG-INFO
SOURCES.txt
top_level.txt
Installing in this way pip has invoked 'setup.py install' for us. Uninstall
will remove share/plugins and its contents but not share.
However running 'setup.py bdist_wheel' and then installing said wheel
leaves no record of '../share/plugins' in 'remover-0.0.0.dist-info/RECORD'.
On Mon, Jun 20, 2016 at 12:56 PM Sylvain Corlay <sylvain.corlay at gmail.com>
wrote:
> FYI, this could probably be a security issue with wheel: a wheel package
> that has an empty list of data files in any important subdirectory of
> sys.prefix can delete all the content of that directory upon uninstall or
> update.
>
> Thanks,
>
> Sylvain
>
> On Wed, Jun 15, 2016 at 11:30 AM, Sylvain Corlay <sylvain.corlay at gmail.com
> > wrote:
>
>> I discovered a quite serious bug in wheels (
>> http://bugs.python.org/issue27317)
>>
>> When specifying an empty list for the list of data_files in a given
>> directory, the entire directory is being deleted on uninstall of the wheel,
>> even if it contained other resources from other pacakges.
>>
>> Example:
>>
>> from setuptools import setup
>>> setup(name='remover', data_files=[('share/plugins', [])])
>>
>>
>> The expected behavior is that only the specified list of files is
>> removed, (which is empty in that case).
>>
>> When the list is not empty, the behavior is the one expected. For example,
>>
>> from setuptools import setup
>>> setup(name='remover', data_files=[('share/plugins', ['foobar.json'])])
>>
>>
>> will only remove `foobar.json` on uninstall and the `plugins` directory
>> will not be removed if it is not empty.
>>
>> Thanks,
>>
>> Sylvain
>>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160620/1122642b/attachment.html>
More information about the Distutils-SIG
mailing list