bandit 1.6.3 is getting picked up on python 2.7 installs #663

kratsg · 2020-12-09T13:44:13Z

Describe the bug

When running using python 2.7, a pip install bandit picks up 1.6.3.

To Reproduce

$ docker run -it --rm -v $PWD:$PWD -w $PWD python:2.7-buster sh
# python -m pip install -U pip setuptools wheel
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting pip
  Downloading pip-20.3.1-py2.py3-none-any.whl (1.5 MB)
     |████████████████████████████████| 1.5 MB 3.2 MB/s 
Collecting setuptools
  Downloading setuptools-44.1.1-py2.py3-none-any.whl (583 kB)
     |████████████████████████████████| 583 kB 15.2 MB/s 
Collecting wheel
  Downloading wheel-0.36.1-py2.py3-none-any.whl (34 kB)
Installing collected packages: pip, setuptools, wheel
  Attempting uninstall: pip
    Found existing installation: pip 20.0.2
    Uninstalling pip-20.0.2:
      Successfully uninstalled pip-20.0.2
  Attempting uninstall: setuptools
    Found existing installation: setuptools 44.1.0
    Uninstalling setuptools-44.1.0:
      Successfully uninstalled setuptools-44.1.0
  Attempting uninstall: wheel
    Found existing installation: wheel 0.34.2
    Uninstalling wheel-0.34.2:
      Successfully uninstalled wheel-0.34.2
Successfully installed pip-20.3.1 setuptools-44.1.1 wheel-0.36.1
# python -m pip install bandit
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting bandit
  Downloading bandit-1.6.3-py2.py3-none-any.whl (115 kB)
     |████████████████████████████████| 115 kB 3.9 MB/s 
ERROR: Package 'bandit' requires a different Python: 2.7.18 not in '>=3.5'

It's been uploaded as a "universal wheel" which I think is the issue.

Expected behavior

An older version of bandit is picked up.

The text was updated successfully, but these errors were encountered:

yoctozepto · 2020-12-09T15:42:10Z

Yes, this has broken OpenStack CIs for Py2.7

tipabu · 2020-12-09T16:34:39Z

See also #654. Not sure how amenable PyPI is to updating busted artifacts, but I also wouldn't want to force a return of py2 support. Unpublishing may be the least-bad option?

yoctozepto · 2020-12-09T16:54:14Z

Agreed. Publish 1.6.4 as non-universal (or best yet, just publish 1.7.0 at least) and unpublish 1.6.3. That would help.

This patch disables the lower-constraints job as it started failing and we agreed during the PTG to drop it anyway. [1] For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [2] [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018445.html [2] PyCQA/bandit#663 Change-Id: Icfedd16ef9aed84e9f9be939e832c35e0d735efe (cherry picked from commit bc0a41c)

Stein backport note: this patch makes upgrade jobs non-voting, since Rocky is not really maintained. This also removes them from the gate per the infra recommendations. The 'prechecks : Checking Docker version' task previously failed with Docker 20.10.0. The regex used to parse the version was returning 0.10.0, which is not above the minimum. The previous version of 19.x would have been parsed as 9.x, which is above the minimum. This change fixes the issue by matching the beginning and end of the version using \b. For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [1] And also drop lower-constraints job as agreed during the PTG. [2] It started to fail. For Stein, add kolla to openstack_projects list in the deploy-guide, to fix the cross-project link. [1] PyCQA/bandit#663 [2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018445.html Change-Id: I2a23eea7effb5b9a5e73361bcd48bd2e16d1569c Closes-Bug: 1907436 Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This patch disables the lower-constraints job as it started failing and we agreed during the PTG to drop it anyway. [1] For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [2] [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018445.html [2] PyCQA/bandit#663 Change-Id: Icfedd16ef9aed84e9f9be939e832c35e0d735efe Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/766180 (cherry picked from commit bc0a41c)

The 'prechecks : Checking Docker version' task previously failed with Docker 20.10.0. The regex used to parse the version was returning 0.10.0, which is not above the minimum. The previous version of 19.x would have been parsed as 9.x, which is above the minimum. This change fixes the issue by matching the beginning and end of the version using \b. For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [1] And also drop lower-constraints job as agreed during the PTG. [2] It started to fail. [1] PyCQA/bandit#663 [2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018445.html Depends-On: https://review.opendev.org/766180 Change-Id: I2a23eea7effb5b9a5e73361bcd48bd2e16d1569c Closes-Bug: 1907436 Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

ericwb · 2020-12-13T04:05:41Z

1.7.0 is published, but need to track down a PyPI user with Owner role to yank 1.6.3

ericwb · 2020-12-13T04:18:02Z

1.6.3 yanked. Thanks everyone

The 'prechecks : Checking Docker version' task previously failed with Docker 20.10.0. The regex used to parse the version was returning 0.10.0, which is not above the minimum. The previous version of 19.x would have been parsed as 9.x, which is above the minimum. This change fixes the issue by matching the beginning and end of the version using \b. For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [1] And also drop lower-constraints job as agreed during the PTG. [2] It started to fail. [1] PyCQA/bandit#663 [2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018445.html Depends-On: https://review.opendev.org/766180 Change-Id: I2a23eea7effb5b9a5e73361bcd48bd2e16d1569c Closes-Bug: 1907436 Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I64da924b84d6a96d0440a562c0a7925406aff4c4

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt). [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I2df0f9778b029ea369492649041ed375dccef2a7

bandit 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. With the new pip dependency resolver (introduced in pip 20.3) the lower-constraints job started to fail. Problem is here with the 'install_command' in tox.ini, which uses both the upper- and lower- constraints files, causing the job to fail. This patch adds separate install_command without the upper constraints, so that only the lower-constraints.txt is used. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: If8738f5005e60cf46ed93edbefa272bc2611b53f

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I404810487e68042a2ae7de888a1225a0fcd23252

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I8762bad8821868c97af8114e49f51b6383df3e5c

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I0c50a5d70cd288cea3fe05a23dcb474cde176caa

bandit 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. With the new pip dependency resolver (introduced in pip 20.3) the lower-constraints job started to timeout and fail. This patch fixes package version constraint contradictions and add some new lower constraints to speed up pip's dependency resolution. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ib3ff3bd2df8954407e880a759082ef1eee3e76a1

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx and elasticsearch requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I8762bad8821868c97af8114e49f51b6383df3e5c (cherry picked from commit 30ffa27)

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ifd2bce1552e092a605f96d404ad12a4bbd03fe0c

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I86312e5f46d4e880fbe7d230a6ac7d6a2f3ba5ae

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I787a0276ec0a62bc9e2f068e4e4ee1219a306474

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I0c50a5d70cd288cea3fe05a23dcb474cde176caa (cherry picked from commit 53c69e7)

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ibdc46d188a6025a42a6c7244cb0700563f56b3d1

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ic49c9bffc970b34ffa85696e9f8abbd8e8a1a776

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Id83f06c2f7a120960083b05d01b311e733bd0369

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Id412a175c8b2a9c8c62105f5a6205b1330a9883f

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I4cdc6d038911283f3eeedbdf70fc6c24933f4d28

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ifde30bc88e77c027c3dce12417c0718f5ae56f23

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ia4a143d0c17e5471868d1508be1ec391d8c21090

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I12478b0b85aad91bcf71500e0cef59698c528417

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I3ee4f975ed968e73c553e12fdc53c03c1e4f8064

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Id39cd1f6ed61a3fa457f461fc8d399b550f3bb57

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ib53ba3d18179fd773ace2fc26479b60ecd4c820c

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I95461280d11b14199ba64a2da5709a1e2f4531df

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. sphinx requirement needed to be updated to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I787a0276ec0a62bc9e2f068e4e4ee1219a306474 (cherry picked from commit fba3b78)

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I69fde94a9a5b57ab131b56320a0d2ed2f8596729

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I543337fc3d6b6815de9b0bffe10ba09cda6b1821

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. lower-constraints job fixed with * correcting contradicting/missing constraints * setting default install_command to not use upper-constraints.txt [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ib2bad4cbd1ac9a63cd8c8e48f5cd5bf8c5cde595

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. Sphinx requirements also fixed to make requirements-check job pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ib2bad4cbd1ac9a63cd8c8e48f5cd5bf8c5cde595

The 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. With the introduction of the new dependency resolver in 20.3 pip the lower-constraints job starts to fail as now the constraints are working as they should. Multiple fixes needed: * lower-constraints job uses the [testenv]install_command, so it gives both the upper-constraints and lower-constraints, which causes the job to fail. As an easy fix install_command is added to this target without the upper constraints. * duplicate stestr constraint removed * cryptography lower constraint is bumped as with version 2.1 the new resolver of pip takes hours to install the packages * contradicting hacking version replaced (in lower-constraints.txt to match with test-requirements.txt), which pulls in newer flake8, too * lower-constraints test job failed with error message: "[..] unexpected keyword argument 'barbican_endpoint_type'" which is due to old version of castellan. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: I4b33c2544c911bd68ed8af4c754c9f5dc0c93be8

The 'prechecks : Checking Docker version' task previously failed with Docker 20.10.0. The regex used to parse the version was returning 0.10.0, which is not above the minimum. The previous version of 19.x would have been parsed as 9.x, which is above the minimum. This change fixes the issue by matching the beginning and end of the version using \b. For Train and below additionally blacklist bandit 1.6.3 as it was improperly released as a universal wheel. [1] [1] PyCQA/bandit#663 Change-Id: I2a23eea7effb5b9a5e73361bcd48bd2e16d1569c Closes-Bug: 1907436 Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com> (cherry picked from commit 00ee93b)

This patch has multiple fixes to unblock gate. 1. bandit We don't have bandit requirements in upper-constraints, so we need to cap it in stable branches manually to work with Python 2.7, as bandit 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4]. 2. pip resolver With the new pip resolver the following issues needed to be fixed: * SQLAlchemy-Utils constraint conflicts with rocky's upper constraints * bump lower constraint of cryptography * bump lower constraint of oslo.messaging * bump lower constraint of oslo.utils 3. lower-constraints In lower-constraints job lxml requires libxml2-dev and libxslt1-dev packages, so bindep.txt is extended with them. install_command needs to be added to lower-constraints tox target to work properly. 4. cinder-tempest-dsvm-lvm-lio-barbican Fix for overlapping CIDR issue in cinder-tempest-dsvm-lvm-lio-barbican is the same as in patch I068cf1e9618d305b5a9383c283bfa0f120bfe905. 5. pin nodeset to xenial for requirements-check job The default nodeset for zuul jobs is now ubuntu-focal, and requirements-check job fails on focal, because the mysql it contains is not compatible with the commands that is used in tools/test-setup.sh. This patch pins the nodeset to ubuntu-xenial for requirements-check job to make it pass. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: Ie597e778e3efa61bfd98eaaa92730b5050195e7a (cherry picked from commit a512bfc233fc76c4375388b8546ab9e60459e1d3)

From https://wheel.readthedocs.io/en/stable/user_guide.html : > If your project contains no C extensions and is expected to work on > both Python 2 and 3, you will want to tell wheel to produce universal > wheels by adding this to your setup.cfg file: > > [bdist_wheel] > universal = 1 Now that we no longer support Python 2, it's inappropriate for us to claim that our wheels are universal. Note that claiming that a wheel is universal when it's not has caused trouble for other projects in the past; see PyCQA/bandit#663

ericwb added the bug Something isn't working label Dec 12, 2020

ericwb closed this as completed Dec 13, 2020

yoctozepto mentioned this issue Dec 13, 2020

Bandit 1.7.0 still picked up by Python 2 #665

Closed

tipabu mentioned this issue Dec 15, 2023

Stop claiming to create universal wheels eventlet/eventlet#841

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bandit 1.6.3 is getting picked up on python 2.7 installs #663

bandit 1.6.3 is getting picked up on python 2.7 installs #663

kratsg commented Dec 9, 2020 •

edited

yoctozepto commented Dec 9, 2020

tipabu commented Dec 9, 2020

yoctozepto commented Dec 9, 2020

ericwb commented Dec 13, 2020

ericwb commented Dec 13, 2020

bandit 1.6.3 is getting picked up on python 2.7 installs #663

bandit 1.6.3 is getting picked up on python 2.7 installs #663

Comments

kratsg commented Dec 9, 2020 • edited

yoctozepto commented Dec 9, 2020

tipabu commented Dec 9, 2020

yoctozepto commented Dec 9, 2020

ericwb commented Dec 13, 2020

ericwb commented Dec 13, 2020

kratsg commented Dec 9, 2020 •

edited