Add virtualenv seeder plugin to install build
#435
Conversation
src/fromager/build_environment.py
Outdated
| sys.executable, | ||
| "-m", | ||
| "virtualenv", | ||
| "--download", |
There was a problem hiding this comment.
Do we always want to use --download? Downstream we're relying on the system package for virtualenv and trying to only install tools from our build server for secure builds.
There was a problem hiding this comment.
The virtualenv package bundles wheels in its distribution. To get rid of downloads, we would have to include a build wheel in the Fromager wheel. Internally, virtualenv downloads with pip download. We can redirect download to our mirror by setting an env var.
$ find virtualenv -name '*.whl'
virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl
virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl
virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl
virtualenv/seed/wheels/embed/wheel-0.42.0-py3-none-any.whl
virtualenv/seed/wheels/embed/wheel-0.44.0-py3-none-any.whl
virtualenv/seed/wheels/embed/setuptools-74.1.2-py3-none-any.whlThere was a problem hiding this comment.
OK, if we can redirect the downloads we should do that downstream and document how upstream.
I'm not sure how this implementation is technically better than just creating the environment and installing build into it ourselves like we do with the other tools. Why do it this way with the plugin?
There was a problem hiding this comment.
Virtualenv uses some tricks to make installation of seed packages faster. I have created #436.
There was a problem hiding this comment.
After more experimentation, I came to the conclusion that it is easier to use the same bundling approach as CPython's ensurepip and virtualenv. They store wheel files in git and ship them to their users.
The wheel files for build, packaging, and pyproject_hooks are small and rarely change. Each project has 1-3 releases per year.
There was a problem hiding this comment.
For setuptools and wheel are we going to end up relying on the wheels that are shipped by virtualenv instead of using the ones that we built?
There was a problem hiding this comment.
We have always relied on setuptools and wheel package from virtualenv for the initial seeding of a virtualenv.
virtualenvand Python <3.12 seeds a venv with pip, setuptools, and wheelvirtualenvand Python >=3.12 seeds a venv with pipvenv(from CPython) and Python <3.12 seeds a venv with pip and setuptoolsvenvand Python >=3.12 seeds a venv with pip only
tiran
force-pushed
the
virtualenv_build
branch
from
cc1c43a to
96cc1b9
Compare
Implements a seeder plugin that extends the seed function of virtualenv. The plugin allows us to seed the `build` package into a new virtual env and work around missing `setuptools` and `wheel` commands in Python 3.12+ virtual envs. The seeder plugin uses bundled wheel files just like `virtualenv` and `ensurepip`. Related: python-wheel-build#126 Signed-off-by: Christian Heimes <[email protected]>
tiran
force-pushed
the
virtualenv_build
branch
from
96cc1b9 to
2c47531
Compare
|
An alternate idea to not to rely on wheels shipped by fromager or virtualenv: The docs suggest that for customizing embedded wheels we can patch the module virtualenv.seed.wheels.embed, making sure to provide the function So we have 2 possible options to get the wheels for packages we want seeded
or
We can probably do a combination of both: for the first time the special bootstrap is run to get the seed wheels and they are uploaded to the private index. Then for subsequent bootstraps they can use their private index directly without having to build them Then once we have the wheels we can:
Moreover instead of hardcoding the packages we want seeded, we can pass it as an option in global settings and use that |
|
We have a step in our downstream processes where we copy fromager releases and other tools into the tool index. If we use RHEL system packages to download and build those wheels, we limit the exposure we have and can rely on the existing security of the RHEL packages. We can use fromager to do the bootstrap and give us a build order file, then build those wheels ourselves without fromager one time using a trusted tool chain. At that point we have a version of fromager we trust, and we can use it to build the next version of fromager and any other tools we need. Then when we run fromager to build product wheels, we can have it pull in trusted tool wheels. |
Oh is this as an alternate option instead of the special bootstrap for the seed packages? |
|
At bare minimum, we have to rely on the pip seed package from virtualenv or venv. Otherwise we don't have a way to install anything in the virtual env. |
|
We no longer need the seeder plugin. Instead I'm going to install |
Implements a seeder plugin that extends the seed function of virtualenv. The plugin allows us to seed the
buildpackage into a new virtual env and work around missingsetuptoolsandwheelcommands in Python 3.12+ virtual envs.The seeder plugin uses bundled wheel files just like
virtualenvandensurepip.Related: #126