Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: python-...@packages.debian.org
[ Reason ] There is a race-condition in pip querying metadata from PyPI in parallel, e.g. for "pip list --outdated". I suspect upstream never saw it because we were using zipimports for pip's dependencies, where they vendor them. The race-condition seems to be specific to their home-grown parallel map() implementation, that has later been replaced by Python's native map(). [ Impact ] pip list --outdated can fail with a very obscure traceback. See #1006150. [ Tests ] Manually reproduced the race, fairly frequently. With this patch I haven't seen the race again. [ Risks ] Trivial change, following something upstream did in a later version, when dropping support for older Python releases. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Use Python's native map() instead of pip's home-grown map_multithread(). [ Other info ] N/A
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog --- python-pip-20.3.4/debian/changelog 2021-07-01 16:44:29.000000000 -0400 +++ python-pip-20.3.4/debian/changelog 2022-03-07 11:19:24.000000000 -0400 @@ -1,3 +1,10 @@ +python-pip (20.3.4-4+deb11u1) bullseye; urgency=medium + + * Use native map() to avoid a zipimport race in pip list --outdated. + (Closes: #1006150) + + -- Stefano Rivera <stefa...@debian.org> Mon, 07 Mar 2022 11:19:24 -0400 + python-pip (20.3.4-4) unstable; urgency=medium * No-change upload against distlib 0.3.2+really+0.3.1-0.1. diff -Nru python-pip-20.3.4/debian/patches/native-map.patch python-pip-20.3.4/debian/patches/native-map.patch --- python-pip-20.3.4/debian/patches/native-map.patch 1969-12-31 20:00:00.000000000 -0400 +++ python-pip-20.3.4/debian/patches/native-map.patch 2022-03-07 11:19:24.000000000 -0400 @@ -0,0 +1,33 @@ +From: Stefano Rivera <stefa...@debian.org> +Date: Mon, 7 Mar 2022 11:17:31 -0400 +Subject: Use native map() instead of map_multithread() + +Avoids a race-condition when using zip-imported dependencies. + +Origin: upstream, https://github.com/pypa/pip/commit/0252c04a16cd93fe422cebf0b48453b559a2e404 +Bug-Debian: https://bugs.debian.org/1006150 +--- + src/pip/_internal/commands/list.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/pip/_internal/commands/list.py b/src/pip/_internal/commands/list.py +index 10720b2..8e63eea 100644 +--- a/src/pip/_internal/commands/list.py ++++ b/src/pip/_internal/commands/list.py +@@ -20,7 +20,6 @@ from pip._internal.utils.misc import ( + write_output, + ) + from pip._internal.utils.packaging import get_installer +-from pip._internal.utils.parallel import map_multithread + from pip._internal.utils.typing import MYPY_CHECK_RUNNING + + if MYPY_CHECK_RUNNING: +@@ -234,7 +233,7 @@ class ListCommand(IndexGroupCommand): + dist.latest_filetype = typ + return dist + +- for dist in map_multithread(latest_info, packages): ++ for dist in map(latest_info, packages): + if dist is not None: + yield dist + diff -Nru python-pip-20.3.4/debian/patches/series python-pip-20.3.4/debian/patches/series --- python-pip-20.3.4/debian/patches/series 2021-07-01 16:44:29.000000000 -0400 +++ python-pip-20.3.4/debian/patches/series 2022-03-07 11:19:24.000000000 -0400 @@ -10,3 +10,4 @@ debug-command-for-unbundled.patch str-version.patch git-split-ascii.patch +native-map.patch
