Bug 1259551 - Add --no-download to virtualenv.py invocation; r?ted
Before, virtualenv.py may have attempted to use 3rd party
(untrusted) pip indices when installing wheels for pip,
setuptools, and wheel. These dependencies are vendored in
the tree for a reason. So don't let virtualenv contact the
outside world.
MozReview-Commit-ID: 6BCU0WegJO1
--- a/python/mozbuild/mozbuild/virtualenv.py
+++ b/python/mozbuild/mozbuild/virtualenv.py
@@ -168,16 +168,21 @@ class VirtualenvManager(object):
Receives the path to virtualenv's virtualenv.py script (which will be
called out to), the path to create the virtualenv in, and a handle to
write output to.
"""
env = dict(os.environ)
env.pop('PYTHONDONTWRITEBYTECODE', None)
args = [python, self.virtualenv_script_path,
+ # Without this, virtualenv.py may attempt to contact the outside
+ # world and search for or download a newer version of pip,
+ # setuptools, or wheel. This is bad for security, reproducibility,
+ # and speed.
+ '--no-download',
self.virtualenv_root]
result = subprocess.call(args, stdout=self.log_handle,
stderr=subprocess.STDOUT, env=env)
if result:
raise Exception(
'Failed to create virtualenv: %s' % self.virtualenv_root)