pkg_resources==0.0.0 popping up again

[HemilTheRebel]

Environment

• pip version: pip 20.1.1
• Python version: 3.8.2
• OS: Ubuntu 20.04 LTS

I am inside a virtual environment

Description
On updating packages using this command: pip list --outdated --format=freeze | cut -d = -f 1 | xargs -n1 pip install -U which seems correct to me adds pkg_resources==0.0.0 to requirements causing my CI build to break

Expected behavior
pkg_resources==0.0.0 should not be added

How to Reproduce

virtualenv test
source test/bin/activate
pip list --outdated --format=freeze | cut -d = -f 1  | xargs -n1 pip install -U
pip freeze | grep "0.0.0"

Workaround: Omitting the -U option in pip seems to work. Use this command: pip list --outdated --format=freeze | cut -d = -f 1 | xargs -n1 pip install
Output

hemil@Hemil:~/PycharmProjects/flask-backend$ virtualenv test
created virtual environment CPython3.8.2.final.0-64 in 202ms
  creator CPython3Posix(dest=/home/hemil/PycharmProjects/flask-backend/test, clear=False, global=False)
  seeder FromAppData(download=False, CacheControl=latest, packaging=latest, retrying=latest, ipaddr=latest, requests=latest, distlib=latest, msgpack=latest, chardet=latest, pyparsing=latest, webencodings=latest, certifi=latest, colorama=latest, setuptools=latest, pip=latest, html5lib=latest, wheel=latest, six=latest, lockfile=latest, idna=latest, progress=latest, appdirs=latest, urllib3=latest, contextlib2=latest, pkg_resources=latest, pytoml=latest, pep517=latest, distro=latest, via=copy, app_data_dir=/home/hemil/.local/share/virtualenv/seed-app-data/v1.0.1.debian)
  activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
hemil@Hemil:~/PycharmProjects/flask-backend$ source test/bin/activate
(test) hemil@Hemil:~/PycharmProjects/flask-backend$ pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U
Collecting appdirs
  Using cached appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
Installing collected packages: appdirs
  Attempting uninstall: appdirs
    Found existing installation: appdirs 1.4.3
    Uninstalling appdirs-1.4.3:
      Successfully uninstalled appdirs-1.4.3
Successfully installed appdirs-1.4.4
Collecting certifi
  Using cached certifi-2020.4.5.1-py2.py3-none-any.whl (157 kB)
Installing collected packages: certifi
  Attempting uninstall: certifi
    Found existing installation: certifi 2019.11.28
    Uninstalling certifi-2019.11.28:
      Successfully uninstalled certifi-2019.11.28
Successfully installed certifi-2020.4.5.1
Collecting contextlib2
  Using cached contextlib2-0.6.0.post1-py2.py3-none-any.whl (9.8 kB)
Installing collected packages: contextlib2
  Attempting uninstall: contextlib2
    Found existing installation: contextlib2 0.6.0
    Uninstalling contextlib2-0.6.0:
      Successfully uninstalled contextlib2-0.6.0
Successfully installed contextlib2-0.6.0.post1
Collecting distro
  Using cached distro-1.5.0-py2.py3-none-any.whl (18 kB)
Installing collected packages: distro
  Attempting uninstall: distro
    Found existing installation: distro 1.4.0
    Uninstalling distro-1.4.0:
      Successfully uninstalled distro-1.4.0
Successfully installed distro-1.5.0
Collecting idna
  Using cached idna-2.9-py2.py3-none-any.whl (58 kB)
Installing collected packages: idna
  Attempting uninstall: idna
    Found existing installation: idna 2.8
    Uninstalling idna-2.8:
      Successfully uninstalled idna-2.8
Successfully installed idna-2.9
Collecting msgpack
  Using cached msgpack-1.0.0-cp38-cp38-manylinux1_x86_64.whl (303 kB)
Installing collected packages: msgpack
  Attempting uninstall: msgpack
    Found existing installation: msgpack 0.6.2
    Uninstalling msgpack-0.6.2:
      Successfully uninstalled msgpack-0.6.2
Successfully installed msgpack-1.0.0
Collecting packaging
  Using cached packaging-20.4-py2.py3-none-any.whl (37 kB)
Requirement already satisfied, skipping upgrade: pyparsing>=2.0.2 in ./test/lib/python3.8/site-packages (from packaging) (2.4.6)
Requirement already satisfied, skipping upgrade: six in ./test/lib/python3.8/site-packages (from packaging) (1.14.0)
Installing collected packages: packaging
  Attempting uninstall: packaging
    Found existing installation: packaging 20.3
    Uninstalling packaging-20.3:
      Successfully uninstalled packaging-20.3
Successfully installed packaging-20.4
Collecting pip
  Using cached pip-20.1.1-py2.py3-none-any.whl (1.5 MB)
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 20.0.2
    Uninstalling pip-20.0.2:
      Successfully uninstalled pip-20.0.2
Successfully installed pip-20.1.1
Collecting pyparsing
  Using cached pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
Installing collected packages: pyparsing
  Attempting uninstall: pyparsing
    Found existing installation: pyparsing 2.4.6
    Uninstalling pyparsing-2.4.6:
      Successfully uninstalled pyparsing-2.4.6
Successfully installed pyparsing-2.4.7
Collecting requests
  Using cached requests-2.23.0-py2.py3-none-any.whl (58 kB)
Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in ./test/lib/python3.8/site-packages (from requests) (2020.4.5.1)
Requirement already satisfied, skipping upgrade: chardet<4,>=3.0.2 in ./test/lib/python3.8/site-packages (from requests) (3.0.4)
Requirement already satisfied, skipping upgrade: idna<3,>=2.5 in ./test/lib/python3.8/site-packages (from requests) (2.9)
Requirement already satisfied, skipping upgrade: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in ./test/lib/python3.8/site-packages (from requests) (1.25.8)
Installing collected packages: requests
  Attempting uninstall: requests
    Found existing installation: requests 2.22.0
    Uninstalling requests-2.22.0:
      Successfully uninstalled requests-2.22.0
Successfully installed requests-2.23.0
Collecting setuptools
  Using cached setuptools-46.4.0-py3-none-any.whl (583 kB)
Installing collected packages: setuptools
  Attempting uninstall: setuptools
    Found existing installation: setuptools 44.0.0
    Uninstalling setuptools-44.0.0:
      Successfully uninstalled setuptools-44.0.0
Successfully installed setuptools-46.4.0
Collecting six
  Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
Installing collected packages: six
  Attempting uninstall: six
    Found existing installation: six 1.14.0
    Uninstalling six-1.14.0:
      Successfully uninstalled six-1.14.0
Successfully installed six-1.15.0
Collecting urllib3
  Using cached urllib3-1.25.9-py2.py3-none-any.whl (126 kB)
Installing collected packages: urllib3
  Attempting uninstall: urllib3
    Found existing installation: urllib3 1.25.8
    Uninstalling urllib3-1.25.8:
      Successfully uninstalled urllib3-1.25.8
Successfully installed urllib3-1.25.9
(test) hemil@Hemil:~/PycharmProjects/flask-backend$ pip freeze | grep "0.0.0"
pkg-resources==0.0.0

[uranusjr]

pkg_resources is added when your virtualenv is created, not pip. This should be reported to pypa/virtualenv instead.

[dstufft]

This comes from Debian, who splits out pkg_resources from setuptools, but installs them both into a virtual environment. They've patched their copy of pip to also ignore pkg_resources by default, but of course that doesn't affect when the upstream version has been installed.

We could consider ignoring it by default as well, or adding some mechanism to allow Debian to influence what gets ignored by default besides directly patching code.

[HemilTheRebel]

I have seen the original issue. Thats why i mentioned again in the title. The reason i posted it here and not on virtual env is because this issue resolved when i omit -U option in pip install

@dstufft @uranusjr

[amotl]

Hi there,

first things first: Thanks a stack for conceiving and maintaining pip. You are doing an excellent job here.

Together with @elbart, we just discovered this issue also on CI at [1] after we generated a requirements.txt from the list of prerequisites installed into a virtualenv. The environment where the generation happened was a WSL2, Ubuntu 20.04, Python 3.8.5, pip 21.0.1, with virtualenv created through python3 -m venv .venv.

After seeing this and before discovering #4022 and #8331, we didn't trust our eyes. Actually, in the spirit of [2], we have been glad to see uploads to this package are blocked from PyPI ;].

Now, while we are not involved into the very details of the pip code base yet, we are humbly asking if there would be something the maintainers could do about it? I would like to second @dstufft here:

We could consider ignoring it by default as well.

Would that be an option to consider and implement?

Keep up the spirit and with kind regards,
Andreas.

[1] https://github.com/flow-heater/flow-heater/runs/1875391709?check_suite_focus=true
[2] https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

---

P.S.: The issue can be easily reproduced like

docker run -ti debian:buster bash
apt-get update
apt-get install --yes python3 python3-venv
python3 -m venv .venv
source .venv/bin/activate
pip list --format=freeze

pip==20.0.2
pkg-resources==0.0.0
setuptools==44.0.0

The same happens with Docker images debian:bullseye, ubuntu:20.04 and ubuntu:20.10. However, the Docker image python:3.9.1, while also based on Debian 10.7 (buster), is apparently not affected.