Forcing the version of setuptools is unsafe

[jnewbigin]

pip-compile tells me Forcing the version of setuptools is unsafe

which is done here:

google-auth-library-python/setup.py

Line 25 in ac74905

"setuptools>=40.3.0",

My distro provided python 3.6.9 comes with setuptools 36.5.0. As I understand, the setuptools version is matched to your python install and should not be upgraded with pip.

When I have a package which pulls in google-auto, it updates my setuptools causing other tools to start issuing warnings.

I wonder if you do indeed need the newer setuptools?

[busunkim96]

Hi @jnewbigin,

It looks like we require that minimum version for the library to function properly. See #322

Do you have more background on why it is unsafe to upgrade setuptools? I wasn't able to find anything about it from a quick search.

Tthis PyPA tutorial specifically tells you to install a newer version of setuptools, so I would think it is safe?

[busunkim96]

More reading:

• Is it safe to pin setuptools/distribute/pip in requirements.txt? pypa/pip#6459
• Should --generate-hashes imply --allow-unsafe? jazzband/pip-tools#806
• https://stackoverflow.com/questions/58843905/what-is-the-proper-way-to-decide-whether-to-allow-unsafe-package-versions-in-pip/58864335#58864335

It looks like this warning is likely to be removed in the future

[jnewbigin]

Thanks for looking into this!
So it looks like the approach for now is that I should use --allow-unsafe with pip-compile. And if that flag is deprecated in the future, presumably it will issue a warning that the flag is no longer required.
In summary, versioning setuptools is required and it is actually safe.

John.