Re: Fw: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273
- Reply: Michael Gmelin : "Re: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273"
- In reply to: Michael Gmelin : "Fw: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 06 Jun 2026 17:56:22 UTC
Michael Gmelin wrote: > Hi, > > This probably affects a large number of python ports which won't build > due to the vulnerability in the build dependency. > This is a tricky situation because not every consumer can use the latest setuptools, not least due to various breaking functional changes. Even after we finish the latest effort of the setuptools effort (massive is an understatement), there will probably still be a need to keep older versions around. As for this specific vulnerability, it is not exploitable to how we (ports) build Python packages, since the affected mechanism is setuptools's own PyPI fetching mechanism which we do not use (we have our own do-fetch via fetch(1) et al). Further, the source file this was found in is an already deprecated module package_index, about whose only consumer is another deprecated entry point easy_install. We don't use those in ports either. And even in the case of a Python virtual environment, the system Python packages are not used by default, and pip will download the latest setuptools if needed. In all, this vuxml entry was not added or reviewed by the python@ team, especially not for applicability to actual use cases. -- Charlie Li ...nope, still don't have an exit line.