easy_install is not the recommended way of installing packages from pypi on RHEL 6 as unfortunately the version of setuptools that we ship is way too old. Combined with the fact that RHEL 6 is currently on production phase 3, this issue is not one that we can realistically fix.

The recommended way to install packages from pypi on RHEL 6 is through pip that is shipped with the python software collection.

I prefer pip myself, but it doesn't always help -- in some cases easy_install is called while installing a dependency. Here's a reproducer:

# pip install pynacl
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting pynacl
/usr/lib/python2.6/site-packages/pip-9.0.1-py2.6.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/lib/python2.6/site-packages/pip-9.0.1-py2.6.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading PyNaCl-1.2.0.tar.gz (3.3MB)
    100% |████████████████████████████████| 3.3MB 369kB/s 
    Complete output from command python setup.py egg_info:
    Couldn't find index page for 'cffi' (maybe misspelled?)
    No local packages or download links found for cffi>=1.4.1
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-OCphNh/pynacl/setup.py", line 248, in <module>
        "Programming Language :: Python :: 3.6",
      File "/usr/lib64/python2.6/distutils/core.py", line 113, in setup
        _setup_distribution = dist = klass(attrs)
      File "/usr/lib/python2.6/site-packages/setuptools/dist.py", line 221, in __init__
        self.fetch_build_eggs(attrs.pop('setup_requires'))
      File "/usr/lib/python2.6/site-packages/setuptools/dist.py", line 245, in fetch_build_eggs
        parse_requirements(requires), installer=self.fetch_build_egg
      File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 538, in resolve
        dist = best[req.key] = env.best_match(req, self, installer)
      File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 780, in best_match
        return self.obtain(req, installer) # try and download/install
      File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 792, in obtain
        return installer(requirement)
      File "/usr/lib/python2.6/site-packages/setuptools/dist.py", line 293, in fetch_build_egg
        return cmd.easy_install(req)
      File "/usr/lib/python2.6/site-packages/setuptools/command/easy_install.py", line 466, in easy_install
        raise DistutilsError(msg)
    distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('cffi>=1.4.1')
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-OCphNh/pynacl/

Reopening the bugzilla for the time being. Will request an opinion from PM.

High-level overview of the issue:

easy_install, a binary we ship with the python-setuptools package, no longer fulfills its primary purpose due to an API change in a third-party service.

easy_install is used to download packages from PyPI, a repository of third-party Python libraries. PyPI recently switched to supporting https requests only [0]. Due to that change, easy_install is not able to fetch packages from the default repository anymore, so use cases that required that functionality are currently broken on RHEL 6 systems.

We did not receive customer reports about this yet, but since this affects intallation, we worry that they'd only notice when they need to re-install a system in an emergency.

Thus requesting the opinion of PM in the matter. Please note that depending on the severity of the issue, this bugzilla can be considered a z-stream candidate.

[0] https://mail.python.org/pipermail/distutils-sig/2017-October/031712.html

We talked about this with James yesterday, and it actually seems like something we should try to solve -- however, by solving we might either mean a fix, or maybe we can be fine with a work-wround/KCS article if there is something users can do to fix the issue.

So, the question is -- is there any way to mitigate the issue, other than fixing the package?

The tool itself has an option for alternate index URL, but transitive dependencies will call it unconfigured (see comment 2).

A possible workaround is to install transitive dependencies first, i.e. in the example above, install `cffi` with pip before installing `pynacl`.
However, there's no good way to list all transitive dependencies, so users would need to try installing what they need, on error install the first missing dependency, and repeat.

(In reply to Honza Horak from comment #5)
> We talked about this with James yesterday, and it actually seems like
> something we should try to solve -- however, by solving we might either mean
> a fix, or maybe we can be fine with a work-wround/KCS article if there is
> something users can do to fix the issue.
> 
> So, the question is -- is there any way to mitigate the issue, other than
> fixing the package?

Per comment 1 the fix to the package would be relatively simple:

--- a/setuptools/command/easy_install.py
+++ b/setuptools/command/easy_install.py
@@ -181,7 +181,7 @@ class easy_install(Command):
                 else:
                     self.all_site_dirs.append(normalize_path(d))
         if not self.editable: self.check_site_dir()
-        self.index_url = self.index_url or "http://pypi.python.org/simple"
+        self.index_url = self.index_url or "https://pypi.python.org/simple"
         self.shadow_path = self.all_site_dirs[:]
         for path_item in self.install_dir, normalize_path(self.script_dir):
             if path_item not in self.shadow_path:

A workaround could be that the same patch can be applied on a running system to the /usr/lib/python2.6/site-packages/setuptools/command/easy_install.py (and then the respective .pyc and .pyo files have to be deleted as well).

That will essentially have the same effect, however this could prove problematic due to meddling with protected directories here (e.g. SELinux will then always complain from that point when using easy_install, due to python trying to generate the .pyc and .pyo files).

All in all, a fix to the package seems less problematic than the available workarounds.

(In reply to Radek Bíba from comment #0)
> Description of problem:
> The easy_install utility worked fine a few weeks ago but now it's broken.

Radek, does this mean that it is a Regression? Thanks!

Kind of. There was no change on the setuptools side that would cause this breakage, but the change at pypi.python.org has a negative impact on easy_install. I guess we could call it an indirect regression.