2000135 – pip3.6 happily installs yanked releases

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2000135 - pip3.6 happily installs yanked releases

Summary: pip3.6 happily installs yanked releases

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	python-pip
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lumír Balhar
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-01 13:25 UTC by Miro Hrončok
Modified:	2022-05-10 16:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:	python-pip-9.0.3-21.el8
Doc Type:	Enhancement
Doc Text:	Feature: Support for yanked releases Reason: Third-party Python package indexes such as pypi.org support marking files as "yanked". Such files should not be installed if a non-yanked alternative is available. See https://www.python.org/dev/peps/pep-0592/ for the specification. Result: When selecting which version of a package to download and install, pip-3.6 will choose a non-yanked file if one is available. It will print a warning when installing from a yanked file.
Clone Of:
Environment:
Last Closed:	2022-05-10 15:18:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	pypa pip pull 9226	None	None	None	2021-09-01 14:02:18 UTC
Red Hat Issue Tracker	RHELPLAN-95879	None	None	None	2021-09-01 13:25:53 UTC
Red Hat Product Errata	RHBA-2022:2006	None	None	None	2022-05-10 15:18:24 UTC

Description Miro Hrončok 2021-09-01 13:25:24 UTC

Description of problem:
PyPI has a concept of yanked versions https://pypi.org/help/#yanked
pip should not install a yanked release unless it is the only release that matches a version specifier (using either == or ===).
The Python 3.6 pip in RHEL 8 however does.

Version-Release number of selected component (if applicable):
python3-pip-9.0.3-19.el8.noarch

How reproducible: Easy

Steps to Reproduce:
1. pip3.6 install --user setuptools_scm

Actual results:
Successfully installed ... setuptools-scm-6.2.0 ...


Expected results:
Successfully installed ... setuptools-scm-6.0.1 ...


If a newer non-yanked release of setuptools_scm is released after this bug report was reported, use `pip3.6 install --user 'setuptools_scm<=6.2.0'` to reproduce.


Additional info:
setuptools_scm on PyPI has:
6.2.0 yanked 
6.1.1 yanked 
6.1.0 yanked 
6.1.0.dev0 pre-release + yanked 
6.0.1 stable
...

Python 3.8+ behaves as expected.

This has potential security implications, as yanked releases might as well contain insecure of malicious software.

Comment 1 Miro Hrončok 2021-09-01 14:02:19 UTC

Possible upstream fix from 20.3.2: https://github.com/pypa/pip/pull/9226

Comment 2 Lumír Balhar 2021-09-10 11:52:37 UTC

I have patches for two possible approaches to this problem. They both share the first commit implementing the parsing of the `yanked_reason` attribute from HTML anchors.

1. Just print a warning with some help:

Patch: https://github.com/frenzymadness/pip/pull/1

Result:

$ python -m pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  The best candidate for 'setuptools-scm' has been yanked! The reason is 'regression due to toml dependencies'.
  The old pip does not fully support handling of yanked releases
  so you should either update pip to the latest version and then
  install the package again or install a different version manually.
  Using cached https://files.pythonhosted.org/packages/5b/00/c89e466c8d439b6ca44275174bfbbcda2b3d65a9db65732f85649704cfe4/setuptools_scm-6.3.0-py3-none-any.whl
Requirement already satisfied: setuptools in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<=6.3.0)
Requirement already satisfied: packaging>=20.0 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<=6.3.0)
Requirement already satisfied: pyparsing>=2.0.2 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from packaging>=20.0->setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.3.0
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

2. Ignore yanked releases entirely:

Patch: https://github.com/frenzymadness/pip/pull/2

Result:

$ python -m pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  Using cached https://files.pythonhosted.org/packages/c4/d5/e50358c82026f44cd8810c8165002746cd3f8b78865f6bcf5d7f0fe4f652/setuptools_scm-6.0.1-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

Comment 3 Miro Hrončok 2021-09-10 12:58:26 UTC

Thanks! I like (2) more.

One thing to test: pip install setuptools_scm==6.3.0 should still work.

Comment 4 Petr Viktorin (pviktori) 2021-09-10 13:11:47 UTC

I have a feeling that the `==` won't work. Implemeting all of PEP 592 will
be a bit harder, and simply disabling installation of yanked packages entirely
isn't appropriate.
Before we solve this properly (if ever), the message could be a bit more robust.
How about this:

  The best candidate for 'setuptools-scm', version '6.3.0', has been
  yanked (marked as not suitable)!
  The reason is 'regression due to toml dependencies'.
  Proceeding to install setuptools-scm==6.3.0 even though it is yanked.

  This version of pip does not fully support handling of yanked releases.
  When installing third-party packages from a repository that supports
  yanking (PEP 592), either always explicitly specify a known-good version,
  or try updating pip itself to the latest version from the third-party
  repository:
     python -m pip install --update pip
  Note that this newer version of pip, and any other software installed
  by pip, are generally not supported by Red Hat.

Comment 5 Lumír Balhar 2021-09-13 10:02:05 UTC

I believe that the latest implementation of method 2 in the PR correctly implements PEP 592.

The logic is as follows:

if the best candidate is yanked:
 - if there is only one candidate
   - install that yanked candidate and warn about it
 - else:
   - try to find new best candidate and warn about ignored yanked candidates - this may fail if all possible candidates
     are yanked but I think it's correct behavior.
else:
 - continue as usual and install the best candidate without any warning

Comment 6 Miro Hrončok 2021-09-22 17:03:53 UTC

The described behavior seems correct. Great!

I've played with your implementation on Fedora a bit. Uninstalls in between every installation omitted here.



(__venv__) $ pip install -U https://github.com/frenzymadness/pip/archive/refs/heads/skip_yanked.zip
...
Successfully installed pip-9.0.3

(__venv__) [tmp]$ pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  Some of the 'setuptools-scm' releases have been yanked and therefore ignored now.
  Please, consider using a different version of 'setuptools-scm'.
  Downloading https://files.pythonhosted.org/packages/c4/d5/e50358c82026f44cd8810c8165002746cd3f8b78865f6bcf5d7f0fe4f652/setuptools_scm-6.0.1-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

(__venv__) [tmp]$ pip install "setuptools_scm==6.2.0"
Collecting setuptools_scm==6.2.0
  The best candidate for 'setuptools-scm' has been yanked! The reason is 'regression due to a discovered setuptools bug'.
  The installation will continue because this is the only candidate.
  Please, consider using a different version of 'setuptools-scm'.
  Downloading https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm==6.2.0)
Collecting tomli>=1.0 (from setuptools_scm==6.2.0)
  Downloading https://files.pythonhosted.org/packages/18/47/f7dab5b63b97efa7a715e389291d46246a5999c7b4705c2d147fc879e3b5/tomli-1.2.1-py3-none-any.whl
Installing collected packages: tomli, setuptools-scm
Successfully installed setuptools-scm-6.2.0 tomli-1.2.1
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

(__venv__) [tmp]$ pip install "setuptools_scm<6.3,>=6.2"
Collecting setuptools_scm<6.3,>=6.2
  The best candidate for 'setuptools-scm' has been yanked! The reason is 'regression due to a discovered setuptools bug'.
  The installation will continue because this is the only candidate.
  Please, consider using a different version of 'setuptools-scm'.
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: tomli>=1.0 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.2)
Requirement already satisfied: setuptools>=45 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.2)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.




New pip behaves like this:

(__venv__) $ pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  Using cached setuptools_scm-6.0.1-py3-none-any.whl (27 kB)
Requirement already satisfied: setuptools>=45 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<=6.3.0) (49.1.3)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1



(__venv__) $ pip install "setuptools_scm<6.3,>=6.2"
Collecting setuptools_scm<6.3,>=6.2
  Using cached setuptools_scm-6.2.0-py3-none-any.whl (32 kB)
Requirement already satisfied: setuptools>=45 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.2) (49.1.3)
Requirement already satisfied: tomli>=1.0 in ./__venv__/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.2) (1.2.1)
WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
Reason for being yanked: regression due to a discovered setuptools bug
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0



Maybe we could try to match the warning message and presence (e.g. the yanked versions ignored case does not warn)?

Comment 7 Lumír Balhar 2021-09-24 08:15:06 UTC

Thanks for the review. I've reimplemented it slightly and make the warning the same as it is in the new pip. See the fixup commit in my repository.

Testing:

--- non-yanked candidates available

-- My implementation

$ pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  Using cached https://files.pythonhosted.org/packages/c4/d5/e50358c82026f44cd8810c8165002746cd3f8b78865f6bcf5d7f0fe4f652/setuptools_scm-6.0.1-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

-- Latest pip

$ pip install "setuptools_scm<=6.3.0"
Collecting setuptools_scm<=6.3.0
  Using cached setuptools_scm-6.0.1-py3-none-any.whl (27 kB)
Requirement already satisfied: setuptools>=45 in ./lib/python3.9/site-packages (from setuptools_scm<=6.3.0) (57.4.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1

--- specific version, yanked

-- My implementation

$ pip install "setuptools_scm==6.2.0"
Collecting setuptools_scm==6.2.0
  Cache entry deserialization failed, entry ignored
  WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
  Reason for being yanked: regression due to a discovered setuptools bug
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: tomli>=1.0 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm==6.2.0)
Requirement already satisfied: setuptools>=45 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm==6.2.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

-- Latest pip

$ pip install "setuptools_scm==6.2.0"
Collecting setuptools_scm==6.2.0
  Using cached setuptools_scm-6.2.0-py3-none-any.whl (32 kB)
Requirement already satisfied: setuptools>=45 in ./lib/python3.9/site-packages (from setuptools_scm==6.2.0) (57.4.0)
Collecting tomli>=1.0
  Using cached tomli-1.2.1-py3-none-any.whl (11 kB)
WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
Reason for being yanked: regression due to a discovered setuptools bug
Installing collected packages: tomli, setuptools-scm
Successfully installed setuptools-scm-6.2.0 tomli-1.2.1

--- multiple candidates, but all of them yanked

-- My implementation

$ pip install "setuptools_scm<6.3,>=6.1"
Collecting setuptools_scm<6.3,>=6.1
  WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
  Reason for being yanked: regression due to a discovered setuptools bug
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<6.3,>=6.1)
Requirement already satisfied: tomli>=1.0 in /home/lbalhar/.virtualenvs/pip/lib/python3.9/site-packages (from setuptools_scm<6.3,>=6.1)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0
You are using pip version 9.0.3, however version 21.2.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

-- Latest pip

$ pip install "setuptools_scm<6.3,>=6.1"
Collecting setuptools_scm<6.3,>=6.1
  Using cached setuptools_scm-6.2.0-py3-none-any.whl (32 kB)
Requirement already satisfied: setuptools>=45 in ./lib/python3.9/site-packages (from setuptools_scm<6.3,>=6.1) (57.4.0)
Requirement already satisfied: tomli>=1.0 in ./lib/python3.9/site-packages (from setuptools_scm<6.3,>=6.1) (1.2.1)
WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
Reason for being yanked: regression due to a discovered setuptools bug
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0


I cannot think about other possible tests because the new logic is involved only if the best candidate is yanked. Therefore we can test only version ranges where the highest version is yanked and I think all three possible cases are covered by the tests above:

- there is only one candidate and it's yanked - use it and warn about it
- there are multiple candidates but all of them are yanked - use the best one and warn about it
- there are multiple candidates and only some of them yanked - use the best (newest) non-yanked candidate without any warning

Comment 8 Miro Hrončok 2021-09-24 08:46:41 UTC

Looks perfect!

Comment 9 Lumír Balhar 2021-09-24 08:57:38 UTC

Let's be careful and keep it open for Petr and after his review, I'll prepare a PR and some downstream tests.

Comment 10 Lumír Balhar 2021-10-01 11:32:41 UTC

Petr pointed out that the reason might be empty - in that case, the line "Reason for being yanked:…" doesn't show. See the PR mentioned before for the latest info.

Comment 11 Lumír Balhar 2021-10-05 08:25:06 UTC

Scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=40136027
PR: https://src.osci.redhat.com/rpms/python-pip/pull-request/32

Verification:

script/commands:
# old installs 6.3.0, new installs 6.0.1, no warning in both
pip3.6 install "setuptools_scm<=6.3.0"
pip3.6 uninstall -y "setuptools_scm" > /dev/null 2>&1
# both installs 6.2.0 but new version shows a warning
pip3.6 install "setuptools_scm==6.2.0"
pip3.6 uninstall -y "setuptools_scm" > /dev/null 2>&1
# both installs 6.2.0 but new version shows a warning
pip3.6 install "setuptools_scm<6.3,>=6.1"
pip3.6 uninstall -y "setuptools_scm" > /dev/null 2>&1

# rpm -qv python3-pip
python3-pip-9.0.3-19.el8.noarch

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm<=6.3.0
  Using cached https://files.pythonhosted.org/packages/5b/00/c89e466c8d439b6ca44275174bfbbcda2b3d65a9db65732f85649704cfe4/setuptools_scm-6.3.0-py3-none-any.whl
Requirement already satisfied: setuptools in /usr/local/lib/python3.6/site-packages (from setuptools_scm<=6.3.0)
Requirement already satisfied: packaging>=20.0 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<=6.3.0)
Requirement already satisfied: pyparsing>=2.0.2 in /usr/local/lib/python3.6/site-packages (from packaging>=20.0->setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.3.0


WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm==6.2.0
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /usr/local/lib/python3.6/site-packages (from setuptools_scm==6.2.0)
Requirement already satisfied: tomli>=1.0 in /usr/local/lib/python3.6/site-packages (from setuptools_scm==6.2.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0


WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm<6.3,>=6.1
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.1)
Requirement already satisfied: tomli>=1.0 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.1)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0

# rpm -qv python3-pip
python3-pip-9.0.3-21.el8.noarch

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm<=6.3.0
  Downloading https://files.pythonhosted.org/packages/c4/d5/e50358c82026f44cd8810c8165002746cd3f8b78865f6bcf5d7f0fe4f652/setuptools_scm-6.0.1-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<=6.3.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.0.1

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm==6.2.0
  WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
  Reason for being yanked: regression due to a discovered setuptools bug
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: tomli>=1.0 in /usr/local/lib/python3.6/site-packages (from setuptools_scm==6.2.0)
Requirement already satisfied: setuptools>=45 in /usr/local/lib/python3.6/site-packages (from setuptools_scm==6.2.0)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3.6 install --user` instead.
Collecting setuptools_scm<6.3,>=6.1
  WARNING: The candidate selected for download or install is a yanked version: 'setuptools-scm' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl#sha256=3ff3c48a44fcd16b4354a1f82db64daff7434240fe913c51537dca016af466a7 (from https://pypi.org/simple/setuptools-scm/) (requires-python:>=3.6))
  Reason for being yanked: regression due to a discovered setuptools bug
  Using cached https://files.pythonhosted.org/packages/6d/85/4436669ef4d143cdd77426cd72f62e456cd51cfe8b55fd246503d3cbc5d9/setuptools_scm-6.2.0-py3-none-any.whl
Requirement already satisfied: setuptools>=45 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.1)
Requirement already satisfied: tomli>=1.0 in /usr/local/lib/python3.6/site-packages (from setuptools_scm<6.3,>=6.1)
Installing collected packages: setuptools-scm
Successfully installed setuptools-scm-6.2.0

Comment 12 Lumír Balhar 2021-10-12 16:43:49 UTC

FTR: there is no need for fixing this in other pip versions in RHEL 8. PEP 592 (yanked releases support) has been implemented in 19.2 (2019-07-22) for the old resolver and in 20.3.2 (2020-12-15) for the new one. In RHEL 8 in alternative Python stacks we have:

python38-pip-19.3.1-4.module+el8.5.0+12205+a865257a.noarch
python39-pip-20.2.4-6.module+el8.5.0+12204+54860423.noarch

which are both higher than 19.2 and both still use the old resolver. I've manually verified that they behave correctly - basically the same way as the new pip and the fixed version of pip3.6.

Comment 19 errata-xmlrpc 2022-05-10 15:18:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-pip bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2006

Note You need to log in before you can comment on or make changes to this bug.