Remove setuptools/wheels/distribute from UNSAFE_PACKAGES. Fixes #1584

poetry/installation/pip_installer.py

@@ -39,7 +39,7 @@ def install(self, package: "Package", update: bool = False) -> None:
 
             return
 
-        args = ["install", "--no-deps"]
+        args = ["install", "--no-deps", "--use-pep517"]
 
         if (
             package.source_type not in {"git", "directory", "file", "url"}
@@ -193,7 +193,7 @@ def install_directory(self, package: "Package") -> Union[str, int]:
         else:
             req = os.path.realpath(package.source_url)
 
-        args = ["install", "--no-deps", "-U"]
+        args = ["install", "--no-deps", "--use-pep517", "-U"]
 
         pyproject = PyProjectTOML(os.path.join(req, "pyproject.toml"))
 

poetry/puzzle/provider.py

@@ -54,7 +54,7 @@ def _formatter_elapsed(self) -> str:
 
 class Provider:
 
-    UNSAFE_PACKAGES = {"setuptools", "distribute", "pip", "wheel"}
+    UNSAFE_PACKAGES = {"pip"}
 
     def __init__(
         self, package: Package, pool: Pool, io: Any, env: Optional[Env] = None

pyproject.toml

@@ -52,6 +52,7 @@ httpretty = "^1.0"
 zipp = { version = "^3.4", python = "<3.8"}
 # temporary workaround for https://github.com/python-poetry/poetry/issues/3404
 urllib3 = "1.25.10"
+deepdiff = "^5.2"
 
 [tool.poetry.scripts]
 poetry = "poetry.console.application:main"

tests/fixtures/simple_project/pyproject.toml

@@ -23,6 +23,7 @@ classifiers = [
 # Requirements
 [tool.poetry.dependencies]
 python = "~2.7 || ^3.4"
+cachy = {version = "0.2.0", source = "my-index"}
 
 [tool.poetry.scripts]
 foo = "foo:bar"

tests/installation/fixtures/with-pypi-repository.test

@@ -68,9 +68,22 @@ six = ">=1.10.0"
 attrs = ">=17.4.0"
 more-itertools = ">=4.0.0"
 pluggy = ">=0.5,<0.7"
+setuptools = "*"
 funcsigs = {"version" = "*", "markers" = "python_version < \"3.0\""}
 colorama = {"version" = "*", "markers" = "sys_platform == \"win32\""}
 
+[[package]]
+name = "setuptools"
+version = "39.2.0"
+description = "Easily download, build, install, upgrade, and uninstall Python packages"
+category = "dev"
+optional = false
+python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*"
+
+[package.extras]
+certs = ["certifi (==2016.9.26)"]
+ssl = ["wincertstore (==0.2)"]
+
 [[package]]
 name = "six"
 version = "1.11.0"
@@ -113,6 +126,11 @@ pytest = [
     {file = "pytest-3.5.0-py2.py3-none-any.whl", hash = "sha256:6266f87ab64692112e5477eba395cfedda53b1933ccd29478e671e73b420c19c"},
     {file = "pytest-3.5.0.tar.gz", hash = "sha256:fae491d1874f199537fd5872b5e1f0e74a009b979df9d53d1553fd03da1703e1"},
 ]
+setuptools = [
+    {file = "setuptools-39.2.0-py2.py3-none-any.whl", hash = "sha256:8fca9275c89964f13da985c3656cb00ba029d7f3916b37990927ffdf264e7926"},
+    {file = "setuptools-39.2.0.zip", "hash" = "sha256:f7cddbb5f5c640311eb00eab6e849f7701fa70bf6a183fc8a2c33dd1d1672fb2"}
+]
+
 six = [
     {file = "six-1.11.0-py2.py3-none-any.whl", hash = "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"},
     {file = "six-1.11.0.tar.gz", hash = "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9"},

tests/installation/test_installer.py

@@ -8,6 +8,7 @@
 import pytest
 
 from cleo.io.null_io import NullIO
+from deepdiff import DeepDiff
 
 from poetry.core.packages import ProjectPackage
 from poetry.core.toml.file import TOMLFile
@@ -388,15 +389,19 @@ def test_run_install_remove_untracked(installer, locker, repo, package, installe
     package_b = get_package("b", "1.1")
     package_c = get_package("c", "1.2")
     package_pip = get_package("pip", "20.0.0")
+    package_setuptools = get_package("setuptools", "20.0.0")
+
     repo.add_package(package_a)
     repo.add_package(package_b)
     repo.add_package(package_c)
     repo.add_package(package_pip)
+    repo.add_package(package_setuptools)
 
     installed.add_package(package_a)
     installed.add_package(package_b)
     installed.add_package(package_c)
-    installed.add_package(package_pip)  # Always required and never removed.
+    installed.add_package(package_pip)
+    installed.add_package(package_setuptools)
     installed.add_package(package)  # Root package never removed.
 
     package.add_dependency(Factory.create_dependency("A", "~1.0"))
@@ -406,8 +411,8 @@ def test_run_install_remove_untracked(installer, locker, repo, package, installe
 
     assert 0 == installer.executor.installations_count
     assert 0 == installer.executor.updates_count
-    assert 2 == installer.executor.removals_count
-    assert {"b", "c"} == set(r.name for r in installer.executor.removals)
+    assert 3 == installer.executor.removals_count
+    assert {"b", "c", "setuptools"} == set(r.name for r in installer.executor.removals)
 
 
 def test_run_whitelist_add(installer, locker, repo, package):
@@ -449,7 +454,7 @@ def test_run_whitelist_add(installer, locker, repo, package):
     installer.run()
     expected = fixture("with-dependencies")
 
-    assert locker.written_data == expected
+    assert not DeepDiff(locker.written_data, expected, ignore_order=True)
 
 
 def test_run_whitelist_remove(installer, locker, repo, package, installed):
@@ -1604,7 +1609,7 @@ def test_installer_required_extras_should_not_be_removed_when_updating_single_de
     installer.whitelist(["pytest"])
     installer.run()
 
-    assert 6 == installer.executor.installations_count
+    assert 7 == installer.executor.installations_count
     assert 0 == installer.executor.updates_count
     assert 0 == installer.executor.removals_count
 

tests/installation/test_installer_old.py

@@ -1505,7 +1505,7 @@ def test_installer_required_extras_should_not_be_removed_when_updating_single_de
     installer.whitelist(["pytest"])
     installer.run()
 
-    assert len(installer.installer.installs) == 6
+    assert len(installer.installer.installs) == 7
     assert len(installer.installer.updates) == 0
     assert len(installer.installer.removals) == 0
 

tests/mixology/version_solver/test_python_constraint.py

@@ -15,7 +15,7 @@ def test_dependency_does_not_match_root_python_constraint(root, provider, repo):
   - foo requires Python <3.5, so it will not be satisfied for Python >=3.6,<4.0
 
 Because no versions of foo match !=1.0.0
- and foo (1.0.0) requires Python <3.5, foo is forbidden.
-So, because myapp depends on foo (*), version solving failed."""
+ and foo (==1.0.0) requires Python <3.5, foo is forbidden.
+So, because myapp depends on foo, version solving failed."""
 
     check_solver_result(root, provider, error=error)

tests/mixology/version_solver/test_unsolvable.py

@@ -14,7 +14,7 @@ def test_no_version_matching_constraint(root, provider, repo):
         root,
         provider,
         error=(
-            "Because myapp depends on foo (^1.0) "
+            "Because myapp depends on foo (>=1.0,<2.0) "
             "which doesn't match any versions, version solving failed."
         ),
     )
@@ -30,10 +30,10 @@ def test_no_version_that_matches_combined_constraints(root, provider, repo):
     add_to_repo(repo, "shared", "3.5.0")
 
     error = """\
-Because foo (1.0.0) depends on shared (>=2.0.0 <3.0.0)
- and no versions of shared match >=2.9.0,<3.0.0, foo (1.0.0) requires shared (>=2.0.0,<2.9.0).
-And because bar (1.0.0) depends on shared (>=2.9.0 <4.0.0), bar (1.0.0) is incompatible with foo (1.0.0).
-So, because myapp depends on both foo (1.0.0) and bar (1.0.0), version solving failed."""
+Because foo (==1.0.0) depends on shared (>=2.0.0,<3.0.0)
+ and no versions of shared match >=2.9.0,<3.0.0, foo (==1.0.0) requires shared (>=2.0.0,<2.9.0).
+And because bar (==1.0.0) depends on shared (>=2.9.0,<4.0.0), bar (==1.0.0) is incompatible with foo (==1.0.0).
+So, because myapp depends on both foo (==1.0.0) and bar (==1.0.0), version solving failed."""
 
     check_solver_result(root, provider, error=error)
 
@@ -48,9 +48,9 @@ def test_disjoint_constraints(root, provider, repo):
     add_to_repo(repo, "shared", "4.0.0")
 
     error = """\
-Because bar (1.0.0) depends on shared (>3.0.0)
- and foo (1.0.0) depends on shared (<=2.0.0), bar (1.0.0) is incompatible with foo (1.0.0).
-So, because myapp depends on both foo (1.0.0) and bar (1.0.0), version solving failed."""
+Because bar (==1.0.0) depends on shared (>3.0.0)
+ and foo (==1.0.0) depends on shared (<=2.0.0), bar (==1.0.0) is incompatible with foo (==1.0.0).
+So, because myapp depends on both foo (==1.0.0) and bar (==1.0.0), version solving failed."""
 
     check_solver_result(root, provider, error=error)
     check_solver_result(root, provider, error=error)
@@ -64,7 +64,7 @@ def test_disjoint_root_constraints(root, provider, repo):
     add_to_repo(repo, "foo", "2.0.0")
 
     error = """\
-Because myapp depends on both foo (1.0.0) and foo (2.0.0), version solving failed."""
+Because myapp depends on both foo (==1.0.0) and foo (==2.0.0), version solving failed."""
 
     check_solver_result(root, provider, error=error)
 
@@ -81,10 +81,10 @@ def test_no_valid_solution(root, provider, repo):
 
     error = """\
 Because no versions of b match <1.0.0 || >1.0.0,<2.0.0 || >2.0.0
- and b (1.0.0) depends on a (2.0.0), b (!=2.0.0) requires a (2.0.0).
-And because a (2.0.0) depends on b (2.0.0), b is forbidden.
-Because b (2.0.0) depends on a (1.0.0) which depends on b (1.0.0), b is forbidden.
+ and b (==1.0.0) depends on a (==2.0.0), b (!=2.0.0) requires a (==2.0.0).
+And because a (==2.0.0) depends on b (==2.0.0), b is forbidden.
+Because b (==2.0.0) depends on a (==1.0.0) which depends on b (==1.0.0), b is forbidden.
 Thus, b is forbidden.
-So, because myapp depends on b (*), version solving failed."""
+So, because myapp depends on b, version solving failed."""
 
     check_solver_result(root, provider, error=error, tries=2)