pip installed via python-pip and python3-pip break on Xenial
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-pip (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Hi,
I found that the pip version distributed in Ubuntu Xenial via python-pip and python3-pip break under certain circumstances. I would like to ask to update it for Xenial ESM if you find it relevant.
Context
-------
pip is the package installer for Python. As such, it is expected to be resilient to changes in the dependencies (package updates and so on), especially when those dependencies are installed/updated by pip itself. It is a well understood requirement and the reason why pip is distributed with bundled dependencies.
Issue
-----
pip distributed as part of Ubuntu Xenial (python-pip and python3-pip) break after installing "certifi" or any package that depends on "certifi" via pip install.
The reason is that the pip version distributed in Ubuntu Xenial does not bundle the "certifi" module (which started to be boundled in later versions of pip). Thus, installing a newer version of "certifi" causes an incompatibility with the python version distributed in Ubuntu Xenial and pip won't ever work again. In this situation, with pip broken, it cannot be used to uninstall certifi or downgrade it to a compatible version, and this issue needs to be fixed manually.
Steps to reproduce
------------------
For python3
1. Install pip via apt: sudo apt install python3-pip
2. Install something that depends on certifi via pip: pip3 install requests
3. Pip is completely broken: pip3 install six
For python2
1. Install pip via apt: sudo apt install python-pip
2. Install something that depends on certifi via pip: pip install requests==2.27
3. Pip is completely broken: pip install six
Proposed solution
-----------------
The proposed solution is to inlcude the "certifi" module in the bundled dependencies, so that even if an incompatible version of this module is installed in the system, pip will still be operable and could be used to fix the incompatibility by downgrading to a compatible version. This approach is backed on the following facts:
1. fix is really simple because pip already provides the mechanism to deal with this situation
2. "certifi" is already bundled into pip in newer versions
3. there exists a precedent in focal to bundle a new module (appdirs) into pip via Debian patch
You can find attached the .debdiff with the proposed fix.
| Jorge Sancho Larraz (jslarraz) wrote | #1 |
