Bug#1006883: bullseye-pu: package python2-pip/20.3.4-4+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-pip@packages.debian.org
[ Reason ]
There is a race-condition in pip querying metadata from PyPI in
parallel, e.g. for "pip list --outdated". I suspect upstream never saw
it because we were using zipimports for pip's dependencies, where they
vendor them.
The race-condition seems to be specific to their home-grown parallel
map() implementation, that has later been replaced by Python's native
map().
[ Impact ]
pip list --outdated can fail with a very obscure traceback. See
#1006150.
[ Tests ]
Manually reproduced the race, fairly frequently.
With this patch I haven't seen the race again.
[ Risks ]
Trivial change, following something upstream did in a later version,
when dropping support for older Python releases.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Use Python's native map() instead of pip's home-grown map_multithread().
[ Other info ]
N/A
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog 2021-07-01 16:44:29.000000000 -0400
+++ python-pip-20.3.4/debian/changelog 2022-03-07 11:19:24.000000000 -0400
@@ -1,3 +1,10 @@
+python-pip (20.3.4-4+deb11u1) bullseye; urgency=medium
+
+ * Use native map() to avoid a zipimport race in pip list --outdated.
+ (Closes: #1006150)
+
+ -- Stefano Rivera <stefanor@debian.org> Mon, 07 Mar 2022 11:19:24 -0400
+
python-pip (20.3.4-4) unstable; urgency=medium
* No-change upload against distlib 0.3.2+really+0.3.1-0.1.
diff -Nru python-pip-20.3.4/debian/patches/native-map.patch python-pip-20.3.4/debian/patches/native-map.patch
--- python-pip-20.3.4/debian/patches/native-map.patch 1969-12-31 20:00:00.000000000 -0400
+++ python-pip-20.3.4/debian/patches/native-map.patch 2022-03-07 11:19:24.000000000 -0400
@@ -0,0 +1,33 @@
+From: Stefano Rivera <stefanor@debian.org>
+Date: Mon, 7 Mar 2022 11:17:31 -0400
+Subject: Use native map() instead of map_multithread()
+
+Avoids a race-condition when using zip-imported dependencies.
+
+Origin: upstream, https://github.com/pypa/pip/commit/0252c04a16cd93fe422cebf0b48453b559a2e404
+Bug-Debian: https://bugs.debian.org/1006150
+---
+ src/pip/_internal/commands/list.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/commands/list.py b/src/pip/_internal/commands/list.py
+index 10720b2..8e63eea 100644
+--- a/src/pip/_internal/commands/list.py
++++ b/src/pip/_internal/commands/list.py
+@@ -20,7 +20,6 @@ from pip._internal.utils.misc import (
+ write_output,
+ )
+ from pip._internal.utils.packaging import get_installer
+-from pip._internal.utils.parallel import map_multithread
+ from pip._internal.utils.typing import MYPY_CHECK_RUNNING
+
+ if MYPY_CHECK_RUNNING:
+@@ -234,7 +233,7 @@ class ListCommand(IndexGroupCommand):
+ dist.latest_filetype = typ
+ return dist
+
+- for dist in map_multithread(latest_info, packages):
++ for dist in map(latest_info, packages):
+ if dist is not None:
+ yield dist
+
diff -Nru python-pip-20.3.4/debian/patches/series python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series 2021-07-01 16:44:29.000000000 -0400
+++ python-pip-20.3.4/debian/patches/series 2022-03-07 11:19:24.000000000 -0400
@@ -10,3 +10,4 @@
debug-command-for-unbundled.patch
str-version.patch
git-split-ascii.patch
+native-map.patch
Reply to: