[BUG] Version 78.0.1 breaks install of ansible-vault package #4910

andy-maier · 2025-03-24T15:10:18Z

setuptools version

78.0.1

Python version

3.11

OS

Ubuntu

Additional environment information

No response

Description

When installing the "ansible-vault" package, setuptools raises this exception:


$ pip install ansible-vault --upgrade
Collecting ansible-vault
  Using cached ansible-vault-2.1.0.tar.gz (3.5 kB)
  Installing build dependencies ... done
  Getting requirements to build wheel ... error
  error: subprocess-exited-with-error
  
  × Getting requirements to build wheel did not run successfully.
  │ exit code: 1
  ╰─> [34 lines of output]
      Traceback (most recent call last):
        File "/Users/maiera/virtualenvs/vpcauto311/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 389, in <module>
          main()
        File "/Users/maiera/virtualenvs/vpcauto311/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 373, in main
          json_out["return_val"] = hook(**hook_input["kwargs"])
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/Users/maiera/virtualenvs/vpcauto311/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel
          return hook(config_settings)
                 ^^^^^^^^^^^^^^^^^^^^^
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 334, in get_requires_for_build_wheel
          return self._get_build_requires(config_settings, requirements=[])
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 304, in _get_build_requires
          self.run_setup()
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 522, in run_setup
          super().run_setup(setup_script=setup_script)
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 320, in run_setup
          exec(code, locals())
        File "<string>", line 11, in <module>
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/__init__.py", line 116, in setup
          _install_setup_requires(attrs)
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/__init__.py", line 87, in _install_setup_requires
          dist.parse_config_files(ignore_option_errors=True)
        File "/Users/maiera/virtualenvs/vpcauto311/lib/python3.11/site-packages/_virtualenv.py", line 22, in parse_config_files
          result = old_parse_config_files(self, *args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/dist.py", line 730, in parse_config_files
          self._parse_config_files(filenames=inifiles)
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/dist.py", line 599, in _parse_config_files
          opt = self._enforce_underscore(opt, section)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/private/var/folders/tg/fy7jbcg96lv1_hvlmcv263kr0000gn/T/pip-build-env-1hnvit19/overlay/lib/python3.11/site-packages/setuptools/dist.py", line 629, in _enforce_underscore
          raise InvalidConfigError(
      setuptools.errors.InvalidConfigError: Invalid dash-separated key 'description-file' in 'metadata' (setup.cfg), please use the underscore name 'description_file' instead.
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.

Expected behavior

ansible-vault has not changed since 2021 and should install as before.

How to Reproduce

Create and activate a fresh Pyhton virtual env, using Python 3.11:

mkvirtualenv test -p python3.11

Install version 78.0.1 of setuptools

pip install setuptools==78.0.1

Install ansible-vault

pip install ansible-vault

Output

See above

The text was updated successfully, but these errors were encountered:

andy-maier · 2025-03-24T15:10:50Z

We are circumventing this by excluding setuptools 78.0.1.

Update: That was a thought, but it does not work reliably. See the discussion below.

twratl · 2025-03-24T15:15:01Z

Seeing this for other packages as well.

abravalheri · 2025-03-24T15:15:15Z

Hi @andy-maier, please contact the package developers and inform about the problem highlighted in the error message:

  setuptools.errors.InvalidConfigError: Invalid dash-separated key 'description-file' in 'metadata' (setup.cfg), please use the underscore name 'description_file' instead.

This has been deprecated in 2021.

It looks like there are issue with the new release: pypa/setuptools#4910

lindycoder · 2025-03-24T15:24:07Z

Hello, having the same issue with https://pypi.org/project/opentracing/ where the project is not maintained anymore, we'll try to get rid of it, but would be great to keep it backward compatible, if possible :)

Thank you!

andy-maier · 2025-03-24T15:24:33Z

@abravalheri I can do that, but I do not understand why this issue comes up now, just 30min after 78.0.1 was released, and the same packages worked before. There must have been some change that "activated" that check only now.

abravalheri · 2025-03-24T15:27:51Z

There must have been some change that "activated" that check only now.

You are absolutely correct, there was.
We bumped the major version of setuptools from 77.0.3 to 78.0.0 to indicate an intentional breaking change, namely the removal for the deprecated handling of --separated options in setup.cfg. They are described in this section: https://setuptools.pypa.io/en/latest/history.html#deprecations-and-removals.

andy-maier · 2025-03-24T15:27:56Z

Update: Downgrading setuptools to below 78.0.1 does not make the error go away. That is consistent with @abravalheri stating that the check was introduced in 2021. So it must be something else. Any idea where to look?

emil-peters · 2025-03-24T15:30:31Z

We had the same issue with pysdf which is also no longer maintained, but used by us.
Downgrading to setuptools==77.0.3 seems to fix the issue for us

Had to manually run pip install setuptools==77.0.3 before pip install -r requirements.txt to make it work though

aleksanb · 2025-03-24T15:30:43Z

Our system broke here as well. Downgrading to 77.0.3 did not fix it for us.

dnit · 2025-03-24T15:31:04Z

We are on ~~setuptools==44.1.0~~ , and that is failing as well. Something else pulling in latest version :( .

sentrivana · 2025-03-24T15:32:18Z

We have the same issue with multiple third-party packages. Downgrading to 77.0.3 produces the same error.

abravalheri · 2025-03-24T15:32:54Z

Update: Downgrading setuptools to below 78.0.1 does not make the error go away. That is consistent with @abravalheri stating that the check was introduced in 2021. So it must be something else. Any idea where to look?

Before 78.0.0, there should be a deprecation warning. After 78.0.0, this deprecation warning was converted to an exception.

Sometimes it can be a bit tricky to pin the setuptools version because of caching and/or build isolation. You can try to use PIP_CONSTAINT.

(78.0.0 and 78.0.1 are identical when it comes to user-facing code, the only difference is in the CI code).

andy-maier · 2025-03-24T15:37:23Z

The problem is that it does not seem to be clearly tied to the setuptools versions that are used. At one point I thought it is related to whether or not pip's --no-build-isolation option is used, but that was also not reproducable.

See pypa/setuptools#4910 for more details

ilya-tkachov · 2025-03-24T15:39:45Z

I understand how you have had this deprecation warning since 2021, but I'm not sure the rest of the community has caught on to this change. Others have mentioned this happens in a package that is no longer maintained but we are experiencing this in a repo that is still active olirice/alembic_utils#153

Is it reasonable to force everyone to make this change by breaking their application builds?

aleksanb · 2025-03-24T15:40:52Z

Both we and sentry i see (https://github.com/getsentry/sentry-python/pull/4192/files) are trying all the suggestions presented here and none of them work.

As long as none of us know why our setups are failing it's hard to prescribe the correct solution. Both pinning with a constraints file and other versions of pinning setuptools has no effect.

emil-peters · 2025-03-24T15:43:34Z

We had the same issue with pysdf which is also no longer maintained, but used by us. Downgrading to setuptools==77.0.3 seems to fix the issue for us

Had to manually run pip install setuptools==77.0.3 before pip install -r requirements.txt to make it work though

Coming back to this... It seemed to work when doing it manually. But all our automatons seem to break

roelofvandijkO · 2025-03-24T15:43:41Z

This is pretty bad and hitting a large amount of packages, please consider yanking this as soon as possible.

rcramblit · 2025-03-24T15:44:10Z

uv pip install provides a --build-constraint that lets you provide a constraints file with setuptools<78. This allows non-conforming packages to build correctly even with the isolated build backend. I don't know how to constrain the build backend for pip install + setuptools, does that respect the PIP_CONSTRAINT env var?

ypsah · 2025-03-24T15:48:14Z

The issue pops up for any package that still uses the deprecated description-file and doesn't have a version pin on setuptools as a build dependency.

Caching may render the issue hard to reproduce: if you or your CI agent locally has access to a pre-built version of the affected package, the issue won't pop-up.

There is only one option right now for fresh installs: install an earlier version of setuptools and disable build isolation.

This affects very mainstream packages, such as dash (dependency on stringcase).

anden-akkio · 2025-03-24T15:50:35Z

Hitting this for several dependencies as well. Concretely, celery-redbeat and pyspark, each on near-latest versions.

EDIT: We're using Poetry 2.1.1. ~~Pinning to setuptools~=77.0.0 in our pyproject.toml was a sufficient fix for us.~~ Did not work. Unreliable and I think it only works if you have certain things cached. Think we might have to wait for a yank.

stianjensen · 2025-03-24T15:50:41Z

The only explanation I can understand here is that installing pip itself drags in the unpinned latest version of setuptools, and this is hard or impossible to override. The only good solution here is to yank 78.0.1 from Pypi.

potiuk · 2025-03-25T11:12:11Z

While library maintainers should aim to do things properly for newer versions, part of the job of a build tool is to be able to work with many package versions, old and new.

This is obvious. But the job of us - users of the open-source software done by volunteers is to help them succeed. If every single person who commented "you should not do it" would go to their dependencies - like I did - and tell them "improve" - and spend their time and energy in leading that, this is the only way how to drive down those 12.000 packages down to maybe a handful in a year or two.

And we can help. Those people in the packaging team working on it do all the contributions here in their free time - away of their families and day jobs. They work nights and weekends and sometimes, it happens that they make mistakes.

Are we all responsible enough, and can raise up to the task of helping those people to succeed in the future and thank them for the hard work they do?

Or all that we are capable of is to tell what THEY should do and how much they screwed up? Unlike rolling your own sleeves up and spending your own time on making things better, that is not helpful nor constructive.

I would really love if that experience turns into all those 100s of people who looked and watched that issue into agents of change who will help the whole ecosystem to modernize their build systems.

Are you up to the challenge? I am and i am going to do so. I hope many of other people here will do it as well.

potiuk · 2025-03-25T11:45:29Z

Are you up to the challenge? I am and i am going to do so. I hope many of other people here will do it as well.

And ... just to let everyone know: this works - and I am going to create a PR fixing kylinpy and the kylinpy maintainers are very responsive on that one so far - Kyligence/kylinpy#57 also I am going to follow up with all the other (we also have pyjenkins and mysql and help them to fix their projects.

And yes anyone else can also change and improve the world and go to their dependencies they saw failing and help to fix them. Maybe we can all show the power of Python community and - for a change - help to fix things rather than just complain?

adamcallison · 2025-03-25T11:54:03Z

Are you up to the challenge? I am and i am going to do so. I hope many of other people here will do it as well.

And ... just to let everyone know: this works - and I am going to create a PR fixing kylinpy and the kylinpy maintainers are very responsive on that one so far - Kyligence/kylinpy#57 also I am going to follow up with all the other (we also have pyjenkins and mysql and help them to fix their projects.

And yes anyone else can also change and improve the world and go to their dependencies they saw failing and help to fix them. Maybe we can all show the power of Python community and - for a change - help to fix things rather than just complain?

Is your recommendation that maintainers of all affected libraries release new patch versions for every minor version they've released in recent years to remove a dash? New versions of libraries should use current best practices, but a core build tool needs to be able to interact with old versions as well. The setuptools team do great work for the community, but they should be encouraged to avoid predictable (and predicted) large-scale disruption.

potiuk · 2025-03-25T12:36:43Z

Is your recommendation that maintainers of all affected libraries release new patch versions for every minor version they've released in recent years to remove a dash? New versions of libraries should use current best practices, but a core build tool needs to be able to interact with old versions as well. The setuptools team do great work for the community, but they should be encouraged to avoid predictabl F438 e (and predicted) large-scale disruption.

I don't argue that preventing predictable disruption is a good idea. I 100% agree with you. But that does not preclude spending effort by people like you and others to:

help fixing the latest released versions (in our case kylinpy latest 2.8.4 version had this issue)
you - yourself and your project - spending time and effort to make sure to use (and likely lower-bind the dependencies and work with others to do the same). If we all work in that direction and spend our engineering time on it, and help others, there is a chance that in a year or two we will be able to get rid of the deprecations.

What I am asking for is that it's quite a good idea by everyone affected here not to "negatively" complain on things but "positively" improve the world around them. Clean your own beach.

This is a theme that I am actively working with Alpha-Omega team on "Airflow Beach Cleaning" project - you can watch the Airflow Summit Keynotte from October 2024 where we explain it with Michael Winser what we are trying to do and encourage others: https://www.youtube.com/watch?v=f6gfoVJXWEE

Yes, This is a long and multi-year effort, but if we all, as community, get used to helping others who we depend on and start doing it regularly and do it at scale, problems like that will be far less often and we will be able to leave the world quite a bit better than when we started.

BTW. It's not always easy to predict such things - in case of kylinpy I found out that the fix has already been merged and 2.8.5 release was planned some time ago with the fix but it has never been released. And now, when I reached out, it turns out that there are people interested in doing so. Let's see what happens with it.

But if you look at my talk - just reaching out is already a good time spent by you and others because you might find out that when you have such problematic dependency, you can do one of three F's

Help to (F)ix it - this is what I attempt to do with kylinpy
(F) fork it - this is essentially what I've done by vendoring in 70 lines of code we needed from json-merge-patch - which was last released in 2017 Vendor-in json-merge-patch and add --no-dev to direct uv tool install apache/airflow#48210 - this way the problem is gone for us and we have one-less-dependency that can break our user's installation in the future
(F)orego it - if we find that kylin community is not responsive/ not really interested, we will simply remove kylin provider and the whole dependency

This is what I propose here:

reach out and make sure you use the latest deps
help to fix problems
decide if you want to continue using the dependency if your reach out brought silence

Anyone from any project can do it. And it's pretty much our moral obligation towards all our dependencies that we build our value on, to make sure that we also care about them (because your security and availabilty depends on your engagement with your dependencies). And yes. You can change the world. We already did in quite a number of cases in Airflow Beach Cleaning - I am going to share more and more findings and results of it as it progresses.

This removes all of the Murano code that is deprecated in the 3.0.0 release. When rally pulls in Murano it also pulls python-muranoclient that depends on murano-pkg-check that is old code that was also shown to fail the new setuptools version [1] that removed support for dashes in setup.cfg that has been deprecated since 2021. [1] pypa/setuptools#4910 Change-Id: Icb69c77f96fbf10be0def5be9e21c9af8f57761b

* Update rally-openstack from branch 'master' to 109bf1e5598db5637a3f4f446e8a3415140e8b2a - Remove Murano This removes all of the Murano code that is deprecated in the 3.0.0 release. When rally pulls in Murano it also pulls python-muranoclient that depends on murano-pkg-check that is old code that was also shown to fail the new setuptools version [1] that removed support for dashes in setup.cfg that has been deprecated since 2021. [1] pypa/setuptools#4910 Change-Id: Icb69c77f96fbf10be0def5be9e21c9af8f57761b

webknjaz · 2025-03-26T15:13:31Z

There are too many comments here but in case people didn't mention this earlier, make sure to read this blog post on handling dependency upgrades reliably: https://hynek.me/articles/semver-will-not-save-you/#taking-responsibility.

raylu · 2025-03-26T16:23:58Z

@potiuk

help fixing the latest released versions

adamcallison is not talking about the latest versions. they are talking about the ability to install older versions. requoting with emphasis:

Is your recommendation that maintainers of all affected libraries release new patch versions for every minor version they've released in recent years to remove a dash?

the setuptools breakage in this issue affects more than the latest version

@webknjaz

There are too many comments here but in case people didn't mention this earlier, make sure to read this blog post

none of the advice in that post is relevant to this issue. see #4910 (comment) to understand why

benrutter · 2025-03-27T10:46:58Z

@raylu agreed. Not sure if here is the right place to discuss this, but I think this is exposing a key vulnerability in python build systems.

When building an app, a requirements.txt or simliar can easily pin exact versions of libraries in order to guarantee a level of stability. But for python libraries that serve as build backends (like setuptools, flit or hatch) - those aren't subjected to any such pins. Ideally, build backends would specify a range like "build_tool>3.4,<=4.2", but all it takes is for a single library maintainer to fail to do this, and an applications build process is theoretically unstable.

This comment thread is nearing 5000 comments, so clearly affected a whole bunch of people. I don't think we'd see anywhere near this affect if setuptools was a standard library (rather than a build backend) - it'd just be a case of "fix the deprecation or pin".

It's easy to get frustrated at maintainers of tools like setuptools when we percieve that as being the "thing that's broken my build process" - but all things considered, they did a pretty good job communicating on a deprecation (several years), and then pragmatically rolling back when things didn't work.

The honus is maybe on tools like pip/uv, and us as a community, to work towards something better than just requiring tools like setuptools have 100% backwards compatibility. Especially if we want maintainers of things like this to be able to continually improve their libraries without burning out.

webknjaz · 2025-03-27T14:10:14Z

There are too many comments here but in case people didn't mention this earlier, make sure to read this blog post

none of the advice in that post is relevant to this issue. see #4910 (comment) to understand why

@raylu that's not true. pip-tools can be used to generate a constraint file for the (transitive) build deps specifically. I personally merged a pull request implementing it quite a while ago: https://pip-tools.rtfd.io/en/stable/#maximizing-reproducibility.

Using that is a bit unobvious, but setting the PIP_CONSTRAINT environment variable applies to said ephemeral build environments that are populated by a pip install in a subprocess that understands that env var just fine (it's passing it on CLI via --constraint that is problematic).

andy-maier added bug Needs Triage Issues that need to be evaluated for severity and status. labels Mar 24, 2025

Fokko mentioned this issue Mar 24, 2025

Nit: Introduce S3_SIGNER constant property apache/iceberg-python#1837

Merged

Fokko added a commit to apache/iceberg-python that referenced this issue Mar 24, 2025

Pin setuptools

c872521

It looks like there are issue with the new release: pypa/setuptools#4910

Fokko mentioned this issue Mar 24, 2025

Pin setuptools apache/iceberg-python#1838

Closed

sentrivana mentioned this issue Mar 24, 2025

New setuptools release breaks CI getsentry/sentry-python#4192

Closed

DanJezeph15 mentioned this issue Mar 24, 2025

Fix for SMS by passing data correctly tutorcruncher/morpheus#466

Merged

benjefferies added a commit to prolific-oss/prolific-django-rest-framework-mongoengine that referenced this issue Mar 24, 2025

fix(SI-313): underscore key

abc3b0d

See pypa/setuptools#4910 for more details

benjefferies mentioned this issue Mar 24, 2025

fix(SI-313): underscore key prolific-oss/prolific-django-rest-framework-mongoengine#7

Closed

fatihak mentioned this issue Mar 24, 2025

Install error setuptools.errors.InvalidConfigError fatihak/InkyPi#70

Closed

hollowstrawberry mentioned this issue Mar 25, 2025

Broken package in sd-scripts requirements derrian-distro/LoRA_Easy_Training_scripts_Backend#8

Closed

prabhu mentioned this issue Mar 25, 2025

[python] setuptools 78.0.1 is breaking sbom generation CycloneDX/cdxgen#1698

Closed

andy-maier mentioned this issue Mar 25, 2025

Use of deprecated dash-separated keys in setup.cfg click-contrib/click-spinner#43

Open

jamie-chang-globality mentioned this issue Mar 25, 2025

Override build dependency and backend metadata, similiar to dependency-metadata astral-sh/uv#12447

Open

Ryuno-Ki mentioned this issue Mar 25, 2025

pyproject: create pyproject.toml snarfed/bridgy-fed#1849

Open

patrickread mentioned this issue Mar 25, 2025

Setup.cfg update dujuku/polling#29

Open

traversaro mentioned this issue Mar 25, 2025

Provide a way to specify no-build-isolation for all pypi dependencies prefix-dev/pixi#3427

Closed

ianballard mentioned this issue Mar 25, 2025

Governance and Change Management Review After Breaking Change in #4870 #4919

Open

giswqs mentioned this issue Mar 25, 2025

Unable to Install geoai-py in a production environment - setuptools expiry opengeos/geoai#123

Closed

hauntsaninja mentioned this issue Mar 25, 2025

[FR] Ecosystem regression checks? #4920

Open

zahlman mentioned this issue Mar 25, 2025

Allow for additional constraints on dependencies used in build environments python-poetry/poetry#10299

Open

zahlman mentioned this issue Mar 27, 2025

Maintainers PLEASE create a new release to fix Python 3.12 pypi installers! okunishinishi/python-stringcase#46

Open

vanschelven mentioned this issue Apr 2, 2025

[Docs] Need migration guide for license expression (PEP 639) about TOML-table-based project.license deprecation if v77 unavailable #4903

Open

1 task

ryan-williams mentioned this issue Apr 7, 2025

Release #463 (description-file fix) soft-matter/pims#464

Open

CaselIT mentioned this issue Apr 9, 2025

Latest wheel make this package un-installable IBMDecisionOptimization/docplex#23

Open

sfc-gh-mvashishtha mentioned this issue Apr 29, 2025

FIX-#7536: setuptools / ray version conflict in pkg_resources._vendor modin-project/modin#7537

Merged

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Version 78.0.1 breaks install of ansible-vault package #4910

[BUG] Version 78.0.1 breaks install of ansible-vault package #4910

[BUG] Version 78.0.1 breaks install of ansible-vault package #4910

[BUG] Version 78.0.1 breaks install of ansible-vault package #4910

Comments

setuptools version

Python version

OS

Additional environment information

Description

Expected behavior

How to Reproduce

Output