mozilla-inbound: changeset 290283:68dba144ea2c9d729bfff52c40d4dbbc8437661b

author	Gregory Szorc <gps@mozilla.com>
	Thu, 24 Mar 2016 12:34:47 -0700
changeset 290283	68dba144ea2c9d729bfff52c40d4dbbc8437661b
parent 290282	78babd21215d21389c7a8026f42db76a5f302af6
child 290284	0974ea6ae83bd6b018ba0ec50b8f90fc5e7b4aa6
push id	74190
push user	gszorc@mozilla.com
push date	Thu, 24 Mar 2016 19:41:20 +0000
treeherder	mozilla-inbound@68dba144ea2c [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	ted
bugs	1259551
milestone	48.0a1
first release with	nightly linux32 b2dbee5ca727 / 48.0a1 / 20160325083832 / files nightly linux64 b2dbee5ca727 / 48.0a1 / 20160325083832 / files nightly mac b2dbee5ca727 / 48.0a1 / 20160325083832 / files nightly win32 b2dbee5ca727 / 48.0a1 / 20160325085113 / files nightly win64 b2dbee5ca727 / 48.0a1 / 20160325085113 / files
last release without	nightly linux32 6202ade0e6d6 / 48.0a1 / 20160324030447 / files nightly linux64 6202ade0e6d6 / 48.0a1 / 20160324030447 / files nightly mac 6202ade0e6d6 / 48.0a1 / 20160324030447 / files nightly win32 6202ade0e6d6 / 48.0a1 / 20160324030447 / files nightly win64 6202ade0e6d6 / 48.0a1 / 20160324030447 / files

Bug 1259551 - Add --no-download to virtualenv.py invocation; r=ted Before, virtualenv.py may have attempted to use 3rd party (untrusted) pip indices when installing wheels for pip, setuptools, and wheel. These dependencies are vendored in the tree for a reason. So don't let virtualenv contact the outside world. MozReview-Commit-ID: 6BCU0WegJO1

python/mozbuild/mozbuild/virtualenv.py

file | annotate | diff | comparison | revisions

--- a/python/mozbuild/mozbuild/virtualenv.py
+++ b/python/mozbuild/mozbuild/virtualenv.py
@@ -168,16 +168,21 @@ class VirtualenvManager(object):
         Receives the path to virtualenv's virtualenv.py script (which will be
         called out to), the path to create the virtualenv in, and a handle to
         write output to.
         """
         env = dict(os.environ)
         env.pop('PYTHONDONTWRITEBYTECODE', None)
 
         args = [python, self.virtualenv_script_path,
+            # Without this, virtualenv.py may attempt to contact the outside
+            # world and search for or download a newer version of pip,
+            # setuptools, or wheel. This is bad for security, reproducibility,
+            # and speed.
+            '--no-download',
             self.virtualenv_root]
 
         result = subprocess.call(args, stdout=self.log_handle,
             stderr=subprocess.STDOUT, env=env)
 
         if result:
             raise Exception(
                 'Failed to create virtualenv: %s' % self.virtualenv_root)