[RAPTOR-14742] python311: Drop venv #1686
Conversation
|
The Needs Review labels were added based on the following file changes. Team @datarobot/genai-systems (#genai-systems) was assigned because of changes in files:public_dropin_environments/python311/Dockerfile public_dropin_environments/python311/env_info.json If you think that there are some issues with ownership, please discuss with C&A domain at #sdtk slack channel and create PR to update DRCODEOWNERS\CODEOWNERS file. |
|
Label Needs Review: GenAI Systems was removed because @yakov-g is part of GenAI Systems domain. |
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
508c6e9 to
1ec9d7f
Compare
|
Hey @klichukb and @yakov-g This is really just an example PR of a change I wonder if we can make. This forces the use of system site packages (and system pip) so the vulnerability doesn't get reintroduced when the virtualenv is set up. Are we okay with this and/or do you two know of any use cases where this might be problematic? If it's fine still, I'd like to apply it to all of the other public dropin envs. Note that the fix will probably be available on pypi in a few days, so we can just take that route if wanted. With this PR, I'm just hoping to simplify the cve fixing process in the future where pip might have other vulnerabilities that chainguard fixes faster than upstream. |
|
I built the image and tried to do pip install. |
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
1ec9d7f to
a6b1028
Compare
|
Updated to drop the virtualenv completely. |
Since this runs inside of a docker container, there really isn't much point to a virtual env here. It just adds storage overhead and path complexity. That said, additionally, the upstream pip has a security vulnerability, CVE-2025-8869, which has been fixed, but not released, and it is uncertain when the fix will be released. Chainguard has however fixed pip in their version. As such, using system python resources uses their fixed pip version, as using a virtualenv installs its own version of pip, reintroducing the vulnerability.
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
a6b1028 to
0cd42f5
Compare
nullspoon
changed the title
Since this runs inside of a docker container, there really isn't much point to a virtual env here. It just adds storage overhead and path complexity.
That said, additionally, the upstream pip has a security vulnerability, CVE-2025-8869, which has been fixed, but not released, and it is uncertain when the fix will be released.
Chainguard has however fixed pip in their version. As such, using system python resources uses their fixed pip version, as using a virtualenv installs its own version of pip, reintroducing the vulnerability.
This repository is public. Do not put here any private DataRobot or customer's data: code, datasets, model artifacts, .etc.
Summary
Rationale