System packages leak into build environment

[layday]

PEP 517 recommends that the build environment should only contain the standard library and packages from build-system.requires. However, system packages are exposed to the build environment using pep517. This behaviour has been implicated in jaraco/skeleton#12.

For an MRE:

$ python -m pip list
Package Version
------- -------
pep517  0.8.1
pip     20.0.1
toml    0.10.0
$ cat pyproject.toml
[build-system]
requires = ["setuptools"]
build-backend = "setuptools.build_meta"
$ cat setup.py
import toml   # Does not raise

from setuptools import setup

setup(name='test')
$ python -m pep517.build --source .
running egg_info
creating test.egg-info
writing test.egg-info/PKG-INFO
writing dependency_links to test.egg-info/dependency_links.txt
writing top-level names to test.egg-info/top_level.txt
writing manifest file 'test.egg-info/SOURCES.txt'
reading manifest file 'test.egg-info/SOURCES.txt'
writing manifest file 'test.egg-info/SOURCES.txt'
running sdist
running egg_info
writing test.egg-info/PKG-INFO
writing dependency_links to test.egg-info/dependency_links.txt
writing top-level names to test.egg-info/top_level.txt
reading manifest file 'test.egg-info/SOURCES.txt'
writing manifest file 'test.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

running check
warning: check: missing required meta-data: url

warning: check: missing meta-data: either (author and author_email) or (maintainer and maintainer_email) must be supplied

creating test-0.0.0
creating test-0.0.0/test.egg-info
copying files to test-0.0.0...
copying pyproject.toml -> test-0.0.0
copying setup.py -> test-0.0.0
copying test.egg-info/PKG-INFO -> test-0.0.0/test.egg-info
copying test.egg-info/SOURCES.txt -> test-0.0.0/test.egg-info
copying test.egg-info/dependency_links.txt -> test-0.0.0/test.egg-info
copying test.egg-info/top_level.txt -> test-0.0.0/test.egg-info
Writing test-0.0.0/setup.cfg
Creating tar archive
removing 'test-0.0.0' (and everything under it)

[takluyver]

It doesn't really try to isolate the build environment, to be honest. Doing so properly without assuming that the venv module is present (i.e. supporting Python 2) was too complex, so I just implemented a minimal place where it could install build dependencies without modifying the target environment.

It looks like the copy in pip has got a bit more advanced - @pradyunsg has talked in #2 about bringing that into pep517.

Of course, one day we'll be able to wave goodbye to Python 2 and just rely on venv. But for something so fundamental, that's probably not quite yet.

[layday]

This issue is about pep517 exposing libraries which are not available when building from an sdist with pip using build isolation (i.e. the pip default for packages with a pyproject.toml) which can become the source of latent bugs downstream. This is the wrong place to appeal against build isolation.

[takluyver]

We've come to an agreement that the functionality to create isolated build environments and install build dependencies will live in the PyPA build project. The pep517 library will continue to exist as the lower-level piece to work with the interfaces defined by PEP 517, but the pep517.envbuild module and the little command-line interfaces which use it (pep517.build, pep517.check and pep517.meta) will gradually be deprecated and eventually removed as build becomes more stable. See #91 for more on that process.

So I'm closing this, as there won't be any further significant work here on isolating the build environment. Hopefully build already meets your needs better.