build environment leaves .python-eggs group writeable which causes UserWarnings

[tfoote]

In my builds I have a few unit tests which checks command line tools for both expected stdout and stderr results. Due to the file permissions on the .python-eggs file in /home/travis I get the following error repeatedly on my python2.x builds. In python3.x it does not raise the same warnings.

/home/travis/virtualenv/python2.6/lib/python2.6/site-packages/pkg_resources.py:1054: UserWarning: /home/travis/.python-eggs is writable by group/others and vulnerable to attack when used with get_resource_filename. Consider a more secure location (set with .set_extraction_path or the PYTHON_EGG_CACHE environment variable).
  warnings.warn(msg, UserWarning)

From this example job: https://travis-ci.org/vcstools/rosinstall/jobs/15428340

It appears that this warning is triggered when running python scripts which utilize pkg_resources.

I don't believe that this is my configuration issue as the file is outside my build directory. My .travis.yml is here: https://github.com/vcstools/rosinstall/blob/master/.travis.yml

language: python
python:
  - "2.6"
  - "2.7"
  - "3.2"
# command to install dependencies
install:
# develop seems to be required by travis since 02/2013
  - python setup.py build develop
  - sudo gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16126D3A3E5C1192
  - sudo gpg --export --armor 16126D3A3E5C1192 | sudo apt-key add -
  - sudo apt-get clean
  - sudo apt-get install -qq zsh
  - sudo pip install vcstools nose-cov coverage pyyaml
# Set git config to silence some stuff in the tests
  - git config --global user.email "foo@example.com"
  - git config --global user.name "Foo Bar"
# Set the hg user
  - echo -e "[ui]\nusername = Your Name <your@mail.com>" >> ~/.hgrc
# Set the bzr user
  - bzr whoami "Your Name <name@example.com>"
# command to run tests
script:
  - python -c 'import sys; print(sys.path)'
# Local tests work even if ros.org is down
#  - nosetests test/local
  - nosetests test
notifications:
  email: false
matrix:
  allow_failures:
    - python: "3.2"

My workaround has been to disable all warnings inside those unit tests which is sub optimal.

[lddubeau]

Prompted by alisaifee's investigation of a test failure on our end, I've worked around this issue by adding these commands at the end of the list of installation commands, before the test suite is run:

mkdir $HOME/.python-eggs
chmod og-w $HOME/.python-eggs

[sarahhodne]

We recently updated our build environments with several Python changes. Are you still seeing this?

[roidrage]

Hey, we haven't heard back from you, so I'm closing this.

If you have any more issues, you can either give us an update here or file a new one.

[ffledgling]

I seem to have run into a similar issue today. I'm getting the following error warning:

/home/travis/virtualenv/python2.7.6/lib/python2.7/site-packages/pkg_resources.py:991: UserWarning: /home/travis/.python-eggs is writable by group/others and vulnerable to attack when used with get_resource_filename. Consider a more secure location (set with .set_extraction_path or the PYTHON_EGG_CACHE environment variable).

[joshk]

@dstufft do you know what this error means? is it something Travis needs to fix?

[dstufft]

Probably just a permission need needs fixed to make something not group/world writable.

[ffledgling]

Does this mean it's an issue on the Travis side or do I need to fix something in my project's source code?