fix: upgrade setuptools to 79.0.1 in python-samples-testing-docker #13468
Conversation
product-auto-label
bot
added
the
samples
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @parthea, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request primarily focuses on enhancing the security and maintainability of the python-samples-testing-docker image by addressing a setuptools vulnerability. It involves comprehensive updates to Python runtime versions, pip, and the Google Cloud SDK, ensuring the testing environment remains current and robust.
Highlights
- Setuptools Security Fix and Upgrade: I've upgraded
setuptoolsto version 79.0.1 to address a reported vulnerability (b/424659470). This involved removing the system-widepython3-setuptoolspackage viaapt, explicitly uninstallingsetuptoolsfor older, unsupported Python versions (2.7, 3.7, 3.8), and then installing the updated version for Python 3.9 and newer using newly introducedrequirements.inandrequirements.txtfiles. - Python Runtime Version Updates: All specified Python runtime versions within the Docker image have been updated to their latest patch releases (e.g., 3.9.20 to 3.9.23, 3.10.15 to 3.10.18, 3.11.10 to 3.11.13, 3.12.7 to 3.12.11, 3.13.0 to 3.13.5), ensuring the testing environment uses up-to-date interpreters.
- Dependency Version Bumps: The
pipversion has been updated from 21.3.1 to 23.1.2, and the Google Cloud SDK version has been bumped from 502.0.0 to 528.0.0. Additionally, theCLOUDSDK_PYTHONenvironment variable has been updated to usepython3.12for the Google Cloud SDK.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request updates dependencies in the Dockerfile, including Python runtimes, pip, and setuptools, to address a security vulnerability. The introduction of requirements.in and a pinned requirements.txt improves dependency management. The review focuses on Dockerfile best practices to enhance efficiency and maintainability.
.kokoro/docker/Dockerfile
Outdated
| @@ -65,6 +65,7 @@ RUN apt-get update \ | |||
| uuid-dev \ | |||
| wget \ | |||
| zlib1g-dev \ | |||
| && apt remove -y python3-setuptools \ | |||
There was a problem hiding this comment.
Consider using apt-get instead of apt for package management. apt-get is more script-friendly and its behavior is more predictable in automated environments like Dockerfiles.
&& apt-get remove -y python3-setuptools \
.kokoro/docker/Dockerfile
Outdated
| RUN rm /tmp/get-pip-3-8.py | ||
| RUN rm /tmp/get-pip-3-7.py |
There was a problem hiding this comment.
Combine these rm commands into a single RUN instruction to reduce the number of layers in the Docker image, optimizing its size.
RUN rm /tmp/get-pip.py /tmp/get-pip-3-8.py /tmp/get-pip-3-7.py
.kokoro/docker/Dockerfile
Outdated
| -r /requirements.txt \ | ||
| ; done |
There was a problem hiding this comment.
Remove the temporary file /requirements.txt in the same RUN layer where it's used to avoid creating an extra layer and reduce the image size.
; done && rm /requirements.txt
parthea
added
kokoro:force-run
kokoro-team
removed
kokoro:run
There was a problem hiding this comment.
In theory this change looks correct, but we should wait for unit tests to complete, and also (if possible) testing the updates in a built image. And/or merging this PR and fast-following with re-trying a PR with the new image and confirming all the checks successfully run.
Description
Fixes b/424659470
Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.
Checklist
nox -s py-3.9(see Test Environment Setup)nox -s lint(see Test Environment Setup)This PR is similar to googleapis/testing-infra-docker#488 which upgraded setuptools in
python-base, as well as googleapis/testing-infra-docker#490 which upgraded setuptools inpython-multiThis PR includes the following fixes
python3-setuptoolsto address b/424659470setuptoolsto 79.0.1 to address b/424659470setuptoolsfor Python 3.7/3.8 which are not supported runtimes insetuptools==79.0.1pipto23.1.2to match what we have inpython-basegcloudversion to 528.0.0 and upgradegcloudpython to 3.12