Make pkg_resources more forgiving of non-compliant versions

[abravalheri]

In #3772 we learned that some users have been finding trouble to install packages that follow PEP 440 if another package that does not follow PEP 440 is already installed. This is caused by pkg_resources automatically "activating" an environment with all the installed distributions and trying to sort them when setup.py install or setup.py develop is invoked¹.

Summary of changes

• When calculating the hashcmp string in pkg_resources, use a fallback sanitized version in the case of parsing errors.

Tests

I tested this is working based on the reproducer provided in a commend in #3772:

> docker run --rm -e DEBIAN_FRONTEND=noninteractive -it ubuntu:bionic@sha256:4a45212e9518f35983a976eead0de5eecc555a2f047134e9dd2cfc589076a00d bash

apt update && apt install -q -y virtualenv python3-distro-info python3-distutils

mkdir -p /tmp/mypkg
cd /tmp/mypkg
echo "aaa=1" > mymod.py
cat <<EOF > setup.py
from setuptools import setup
setup(
    name="mypkg",
    version='1.0',
    py_modules=['mymod']
)
EOF

virtualenv --system-site-packages /tmp/.venv1
/tmp/.venv1/bin/python -m pip install -U 'pip==23.0.1' 'setuptools==67.4.0'
/tmp/.venv1/bin/python -m pip install -e .
# ...
# File "/tmp/.venv1/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2694, in parsed_version
#   raise packaging.version.InvalidVersion(f"{str(ex)} {info}") from None
# pkg_resources.extern.packaging.version.InvalidVersion: Invalid version: '0.23ubuntu1' (package: distro-info)


virtualenv --system-site-packages /tmp/.venv2
/tmp/.venv2/bin/python -m pip install -U 'pip==23.0.1' 'setuptools @ https://github.com/abravalheri/setuptools/archive/refs/heads/issue-3772.zip'
/tmp/.venv2/bin/python -m pip -v install -e .
# Successfully installed mypkg-1.0

Problems with this approach:

pip will not display the deprecation warning unless setting PYTHONWARNINGS=once and using the verbose flag (pip -v).

Alternatives

A workaround already exists (the users just need to add --use-pep517 to the pip install command).

pip 23.1 is supposed to use PEP 517 by default (no need for --use-pep517 flag), so I think most of the users will no longer face this error after the update.

(Specially now that we are avoid importing pkg_resources unless absolutely necessary).

Is it worthy to add such workaround to the codebase?

Pull Request Checklist

• Changes have tests
• News fragment added in changelog.d/.
  (See documentation for details)

Footnotes

1. So far those were the circumstances I could identify, but there might be others. ↩

[jaraco]

I was trying to think of something along these lines but failed to settle on anything. This looks good to me. Thanks for putting it together.