setuptools.sandbox.SandboxViolation: SandboxViolation: open('_configtest.c', 'w') {} only on Python 3.8

[alex]

When adding Python 3.8 to pyca/cryptography's CI, we're seeing a baffling error message... but only under Python 3.8:

  File "c:\python38\lib\site-packages\setuptools\sandbox.py", line 195, in setup_context
    yield
  File "c:\python38\lib\site-packages\setuptools\sandbox.py", line 250, in run_setup
    _execfile(setup_script, ns)
  File "c:\python38\lib\site-packages\setuptools\sandbox.py", line 45, in _execfile
    exec(code, globals, locals)
  File "C:\Users\CONTAI~1\AppData\Local\Temp\easy_install-z0ti_pg_\cffi-1.13.0\setup.py", line 127, in <module>
    elif (is_short_option(argv[i]) and
  File "C:\Users\CONTAI~1\AppData\Local\Temp\easy_install-z0ti_pg_\cffi-1.13.0\setup.py", line 105, in uses_msvc
    '--url',
  File "c:\python38\lib\distutils\command\config.py", line 225, in try_compile
    self._compile(body, headers, include_dirs, lang)
  File "c:\python38\lib\distutils\command\config.py", line 127, in _compile
    src = self._gen_temp_sourcefile(body, headers, lang)
  File "c:\python38\lib\distutils\command\config.py", line 109, in _gen_temp_sourcefile
    with open(filename, "w") as file:
  File "c:\python38\lib\site-packages\setuptools\sandbox.py", line 418, in _open
    self._violation("open", path, mode, *args, **kw)
  File "c:\python38\lib\site-packages\setuptools\sandbox.py", line 407, in _violation
    raise SandboxViolation(operation, args, kw)
setuptools.sandbox.SandboxViolation: SandboxViolation: open('_configtest.c', 'w') {}

The package setup script has attempted to modify files on your system
that are not within the EasyInstall build area, and has been aborted.

This package cannot be safely installed by EasyInstall, and may not
support alternate installation locations even if you run its setup
script by hand.  Please inform the package's author and the EasyInstall
maintainers to find out if a fix or workaround is available.

I assume this is a bad intersection between something, but for the life of me I don't know what.

https://dev.azure.com/pyca/cryptography/_build/results?buildId=1062&view=logs&jobId=d500edf6-0b6e-504d-2304-06892ff28e12

[pganssle]

This is indeed quite baffling. The main thing that I can see that changed with regards to that _configtest.c file is that it was switched over to using a context manager about 10 months ago. Not sure if that was backported to 3.7, but I don't think it would explain the issue. Possibly the issue is that something about that specific VM or something that changed in 3.8's Windows support is causing that file to be created in a temporary directory outside the sandbox.

I can't be sure, but I think that this would be solved if easy_install were never invoked? It's still a bit murky to me why easy_install is being invoked at all, I wouldn't expect it to happen while building an sdist for cryptography, and I would expect cffi to be installed from a wheel. Possibly some combination of environment and version is making it so that the cffi dependency can't be satisfied from a wheel and it's falling back to easy_install because it's not a PEP 517/518 build.

I suspect that you can solve the immediate issue by adding isolated_build = True in your tox.ini configuration, which will use pip to install cffi and its dependencies in an isolated build environment (looks like the whole dependency tree is pycparser, which is pure python). Assuming this doesn't cause you other problems, if that works then this issue will probably go away for the most part when we merge @benoit-pierre's changes removing/deprecating easy_install (#1830 and its children).

[anntzer]

I think(?) @cgohlke may have found the fundamental reason for the issue at numpy/numpy#14873 (comment).

[Avasam]

#2908 removed the sandbox functionality. So this can probably be closed.