- Notifications
You must be signed in to change notification settings - Fork6.6k
fix: upgrade setuptools to 79.0.1 in python-samples-testing-docker#13468
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Summary of Changes
Hello@parthea, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request primarily focuses on enhancing the security and maintainability of thepython-samples-testing-docker image by addressing asetuptools vulnerability. It involves comprehensive updates to Python runtime versions,pip, and the Google Cloud SDK, ensuring the testing environment remains current and robust.
Highlights
- Setuptools Security Fix and Upgrade: I've upgraded
setuptoolsto version 79.0.1 to address a reported vulnerability (b/424659470). This involved removing the system-widepython3-setuptoolspackage viaapt, explicitly uninstallingsetuptoolsfor older, unsupported Python versions (2.7, 3.7, 3.8), and then installing the updated version for Python 3.9 and newer using newly introducedrequirements.inandrequirements.txtfiles. - Python Runtime Version Updates: All specified Python runtime versions within the Docker image have been updated to their latest patch releases (e.g., 3.9.20 to 3.9.23, 3.10.15 to 3.10.18, 3.11.10 to 3.11.13, 3.12.7 to 3.12.11, 3.13.0 to 3.13.5), ensuring the testing environment uses up-to-date interpreters.
- Dependency Version Bumps: The
pipversion has been updated from 21.3.1 to 23.1.2, and the Google Cloud SDK version has been bumped from 502.0.0 to 528.0.0. Additionally, theCLOUDSDK_PYTHONenvironment variable has been updated to usepython3.12for the Google Cloud SDK.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on ourdocumentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either/gemini <command> or@gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review | Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary | Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help | Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a.gemini/ folder in the base of the repository. Detailed instructions can be foundhere.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on@gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with theGemini Code Assist IDE Extension.
Footnotes
Review thePrivacy Notices,Generative AI Prohibited Use Policy,Terms of Service, and learn how to configure Gemini Code Assist in GitHubhere. Gemini can make mistakes, so double check it anduse code with caution.↩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Code Review
This pull request updates dependencies in the Dockerfile, including Python runtimes, pip, and setuptools, to address a security vulnerability. The introduction ofrequirements.in and a pinnedrequirements.txt improves dependency management. The review focuses on Dockerfile best practices to enhance efficiency and maintainability.
.kokoro/docker/Dockerfile Outdated
| @@ -65,6 +65,7 @@ RUN apt-get update \ | |||
| uuid-dev \ | |||
| wget \ | |||
| zlib1g-dev \ | |||
| && apt remove -y python3-setuptools \ | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Consider usingapt-get instead ofapt for package management.apt-get is more script-friendly and its behavior is more predictable in automated environments like Dockerfiles.
&& apt-get remove -y python3-setuptools \.kokoro/docker/Dockerfile Outdated
| RUN rm /tmp/get-pip-3-8.py | ||
| RUN rm /tmp/get-pip-3-7.py |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Combine theserm commands into a singleRUN instruction to reduce the number of layers in the Docker image, optimizing its size.
RUN rm /tmp/get-pip.py /tmp/get-pip-3-8.py /tmp/get-pip-3-7.py.kokoro/docker/Dockerfile Outdated
| -r /requirements.txt \ | ||
| ; done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Remove the temporary file/requirements.txt in the sameRUN layer where it's used to avoid creating an extra layer and reduce the image size.
; done && rm /requirements.txtThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
In theory this change looks correct, but we should wait for unit tests to complete, and also (if possible) testing the updates in a built image. And/or merging this PR and fast-following with re-trying a PR with the new image and confirming all the checks successfully run.
Description
Fixes b/424659470
Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.
Checklist
nox -s py-3.9(seeTest Environment Setup)nox -s lint(seeTest Environment Setup)This PR is similar togoogleapis/testing-infra-docker#488 which upgraded setuptools in
python-base, as well asgoogleapis/testing-infra-docker#490 which upgraded setuptools inpython-multiThis PR includes the following fixes
python3-setuptoolsto address b/424659470setuptoolsto 79.0.1 to address b/424659470setuptoolsfor Python 3.7/3.8 which are not supported runtimes insetuptools==79.0.1pipto23.1.2to match what we have inpython-basegcloudversion to 528.0.0 and upgradegcloudpython to 3.12