Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Updating a package that has `./` in RECORD removes site-packages

See original GitHub issue

Description

If you create a package that has a ./ entry in its RECORD file and install it, pip will think that the whole site-pacakges belongs to this package.

This means that when removing / updating / reinstalling it, pip will remove the whole site-packages first.

Probably the root cause of #7170.

It is easy to fall prey to this kind of bug when developing PEP-517 hooks.

Expected behavior

Warn? Refuse to install packages that have ./ in RECORD? Unsure.

pip version

21.1.2

Python version

3.8.10

OS

Ubuntu 20.04 LTS

How to Reproduce

Reproduce only in a virtualenv - this will remove your site-packages

python -m pip install wheelfile
python -c "from wheelfile import WheelFile; WheelFile(mode='w', distname='bomb', version='0').write('./', recursive=False, resolve=False)"
python -c "from wheelfile import WheelFile; WheelFile(mode='w', distname='bomb', version='1')"
python -m pip install ./bomb-0-py3-none-any.whl
python -m pip install ./bomb-1-py3-none-any.whl # 💥

Output

No response

Code of Conduct

I agree to follow the PSF Code of Conduct.

Issue Analytics

State:
Created 2 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

uranusjrcommented, Jul 2, 2021

So this is basically a broken installation.

Yes I think it’s implied in the top post, since it said It is easy to fall prey to this kind of bug when developing PEP-517 hooks. In this case, the bug is caught during development, but if such a broken wheel is distributed to PyPI, anyone that ends up installing the wheel will have their environment nuked on uninstallation. Pip is definitely not at fault when that happens, but it also probably would be nice if pip can do something to prevent such descruction.

1reaction

pfmoorecommented, Jul 2, 2021

Wait, I’m confused here. How does an installed RECORD file end up containing ./ anyway? The specification explicitly says “directories should not be listed”.

So this is basically a broken installation.

I’d start by saying this is a bug in wheelfile, as it’s creating broken wheels (specifically, RECORD, but I’d argue that wheels should not contain directories, just files - unfortunately the wheel spec is somewhat vague on this detail, as with a lot of other things, but the intent is clearly that wheels only contain actual files).

I’d be fine with pip adding a check and refusing to install a wheel which contains a plain directory, but I’d view that just as a precaution. After all, users can trigger this issue by manually editing ./ into an existing RECORD file, and I’d be perfectly fine saying that if they did, any consequences are the user’s fault.

PS Ignoring this issue, wheelfile looks neat!

Top Results From Across the Web

Reinstalling and Updating NuGet Packages - Microsoft Learn

On the Installed tab, select a package, record its name, then select Uninstall. Switch to the Browse tab, search for the package name,...

python - Why does PyPi (pip) try to delete site-packages when ...

I assume the PyPI page and the source code repository for the project causing the issue are the following:.

Recording installed projects - Python Packaging User Guide

To completely uninstall a package, a tool needs to remove all files listed in RECORD , all .pyc files (of all optimization levels)...

Update packages—ArcGIS Pro | Documentation

The Package Manager page appears. Click the Updates tab. The Updates tab appears with a list of packages in the environment that have...

Upgrading Packages - Salesforce Help

If an installed package has Restricted API access, upgrades are successful only if the upgraded version does not contain any s-controls. If s-controls...