From 18bd38ae8b8b887783439a2728c5497949e1470d Mon Sep 17 00:00:00 2001 From: Geoffrey Sneddon Date: Sun, 5 Jan 2014 12:09:24 +0000 Subject: [PATCH 1/4] Stop using --use-mirrors when installing requirements. --use-mirrors both found mirrors and accessed them insecurely, yet trusted them (CVE-2013-5123); pip 1.5 removes support. --- requirements-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-install.sh b/requirements-install.sh index 2268367e..8374a086 100755 --- a/requirements-install.sh +++ b/requirements-install.sh @@ -5,16 +5,16 @@ if [[ $USE_OPTIONAL != "true" && $USE_OPTIONAL != "false" ]]; then exit 1 fi -pip install -r requirements-test.txt --use-mirrors +pip install -r requirements-test.txt if [[ $USE_OPTIONAL == "true" && $TRAVIS_PYTHON_VERSION != "pypy" ]]; then if [[ $TRAVIS_PYTHON_VERSION == "2.6" ]]; then - pip install -r requirements-optional-2.6.txt --use-mirrors + pip install -r requirements-optional-2.6.txt else - pip install -r requirements-optional-cpython.txt --use-mirrors + pip install -r requirements-optional-cpython.txt fi fi if [[ $FLAKE == "true" ]]; then - pip install --use-mirrors flake8 + pip install flake8 fi From a2d58b8eaaeffe50bb7f4a9df274f67176fe1237 Mon Sep 17 00:00:00 2001 From: Geoffrey Sneddon Date: Sun, 5 Jan 2014 12:11:23 +0000 Subject: [PATCH 2/4] Installing flake8 separately is unnecessary; it is in requirements-test.txt. --- requirements-install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/requirements-install.sh b/requirements-install.sh index 8374a086..f5447ebd 100755 --- a/requirements-install.sh +++ b/requirements-install.sh @@ -14,7 +14,3 @@ if [[ $USE_OPTIONAL == "true" && $TRAVIS_PYTHON_VERSION != "pypy" ]]; then pip install -r requirements-optional-cpython.txt fi fi - -if [[ $FLAKE == "true" ]]; then - pip install flake8 -fi From bc0e23aad3ddf5db96315c301a18d2614d272219 Mon Sep 17 00:00:00 2001 From: Geoffrey Sneddon Date: Sun, 5 Jan 2014 12:25:32 +0000 Subject: [PATCH 3/4] Allow Genshi to be installed insecurely, for now. Ergh. It's not like there's not been masses of warning about this. --- requirements-install.sh | 4 ++-- tox.ini | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/requirements-install.sh b/requirements-install.sh index f5447ebd..0ad36b1b 100755 --- a/requirements-install.sh +++ b/requirements-install.sh @@ -9,8 +9,8 @@ pip install -r requirements-test.txt if [[ $USE_OPTIONAL == "true" && $TRAVIS_PYTHON_VERSION != "pypy" ]]; then if [[ $TRAVIS_PYTHON_VERSION == "2.6" ]]; then - pip install -r requirements-optional-2.6.txt + pip install --allow-external Genshi --allow-unverified Genshi -r requirements-optional-2.6.txt else - pip install -r requirements-optional-cpython.txt + pip install --allow-external Genshi --allow-unverified Genshi -r requirements-optional-cpython.txt fi fi diff --git a/tox.ini b/tox.ini index 53c2aae0..e2ffd3eb 100644 --- a/tox.ini +++ b/tox.ini @@ -9,6 +9,8 @@ deps = commands = {envbindir}/nosetests -q {toxinidir}/flake8-run.sh +install_command = + pip install --allow-external Genshi --allow-unverified Genshi {opts} {packages} [testenv:pypy] # lxml doesn't work and datrie doesn't make sense From 8734f899c16dc4c27bc7c72fd77ab3d8bfac888b Mon Sep 17 00:00:00 2001 From: Geoffrey Sneddon Date: Sun, 5 Jan 2014 12:30:43 +0000 Subject: [PATCH 4/4] fixup! Allow Genshi to be installed insecurely, for now. Use the backwards compatible --allow-insecure; this will work until pip 1.7. --- requirements-install.sh | 4 ++-- tox.ini | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-install.sh b/requirements-install.sh index 0ad36b1b..5f8ba506 100755 --- a/requirements-install.sh +++ b/requirements-install.sh @@ -9,8 +9,8 @@ pip install -r requirements-test.txt if [[ $USE_OPTIONAL == "true" && $TRAVIS_PYTHON_VERSION != "pypy" ]]; then if [[ $TRAVIS_PYTHON_VERSION == "2.6" ]]; then - pip install --allow-external Genshi --allow-unverified Genshi -r requirements-optional-2.6.txt + pip install --allow-external Genshi --allow-insecure Genshi -r requirements-optional-2.6.txt else - pip install --allow-external Genshi --allow-unverified Genshi -r requirements-optional-cpython.txt + pip install --allow-external Genshi --allow-insecure Genshi -r requirements-optional-cpython.txt fi fi diff --git a/tox.ini b/tox.ini index e2ffd3eb..9e0a5ee3 100644 --- a/tox.ini +++ b/tox.ini @@ -10,7 +10,7 @@ commands = {envbindir}/nosetests -q {toxinidir}/flake8-run.sh install_command = - pip install --allow-external Genshi --allow-unverified Genshi {opts} {packages} + pip install --allow-external Genshi --allow-insecure Genshi {opts} {packages} [testenv:pypy] # lxml doesn't work and datrie doesn't make sense