Skip to content

Vendored wheel executable contains hardcoded shebang from build environment #5159

Closed
#5166
Closed
Vendored wheel executable contains hardcoded shebang from build environment#5159
#5166
Labels
help wanted
@DanielMicrosoft

Description

@DanielMicrosoft
DanielMicrosoft
opened on Jan 22, 2026

setuptools version

80.10.1

Python version

3.12

OS

Ubuntu 24.04 LTS

Additional environment information

No response

Description

The latest setuptools release includes a vendored wheel executable at setuptools/_vendor/bin/wheel with a hardcoded shebang pointing to the maintainer's local machine:

#!/Users/jaraco/code/pypa/setuptools/.tox/vendor/bin/python3

Impact:
This breaks RPM packaging for any project using setuptools. RPM's automatic dependency scanner (/usr/lib/rpm/find-requires) reads this shebang and generates a runtime dependency on the non-existent path, causing package installation to fail:

nothing provides /Users/jaraco/code/pypa/setuptools/.tox/vendor/bin/python3 needed by azure-cli-2.82.0-1.el9.aarch64

Root Cause:
Introduced in PR #5139 "Update vendored dependencies" which updated the vendored wheel package. The wheel package's console script entry points were included in _vendor/bin/ with the shebang from the tox build environment.

Expected Behavior:
Vendored executables should either:

Not be included (only Python modules are needed for imports)
Have portable shebangs like #!/usr/bin/env python3
Be sanitized during the vendoring process
Workaround:
Remove setuptools/_vendor/bin after installation in package build scripts.

Expected behavior

RPM build succeeds - No more dependency errors on /Users/jaraco/...

How to Reproduce

Install latest setuptools with the vendored wheel bug:
pip install --upgrade setuptools

Verify the problematic file exists:
python -c "import setuptools; import os; print(os.path.join(os.path.dirname(setuptools.file), '_vendor/bin/wheel'))"

Check the shebang:
python -c "import setuptools, os; f=open(os.path.join(os.path.dirname(setuptools.file), '_vendor/bin/wheel')); print(f.readline())"

Expected: #!/usr/bin/env python3 or similar portable shebang
Actual: #!/Users/jaraco/code/pypa/setuptools/.tox/vendor/bin/python3

Try building an RPM package that includes setuptools:

Package setuptools in an RPM
Run rpmbuild or RPM dependency scanner
Observe error: nothing provides /Users/jaraco/code/pypa/setuptools/.tox/vendor/bin/python3

Output

1.080 Error: 
1.080  Problem: conflicting requests
1.080   - nothing provides /Users/jaraco/code/pypa/setuptools/.tox/vendor/bin/python3 needed by azure-cli-2.82.0-1.el9.x86_64 from @commandline

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wanted

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions