gh-102202: Update bundled setuptools to 67.4.0

[hugovk]

There are plans to remove setuptools from 3.12 (issue #95299 / PR #101039), but in the meantime we could include this in main/3.12 and backport it to deal with CVE-2022-40897 in setuptools. Or else skip 3.12 and apply to 3.11 with backports.

Python 3.7-3.9 are in security-fix only, so ping release managers @ambv and @ned-deily to decide if it's worth backporting there.

Also cc @pradyunsg and @pfmoore as packaging experts.

• Issue: Update bundled setuptools provided by ensurepip in current 3.8.x through 3.11.x to include fix for CVE-2022-40897? #102202

[arhadthedev]

I believe 3.12 definitely should include this version bump. It's unknown whether gh-101039 will land without breaking the world in 3.12 beta thus being retracted.

[pradyunsg]

It's unknown whether gh-101039 will land without breaking the world in 3.12 beta thus being retracted.

Well, it won't break the world really; since pip will pull in the relevant dependencies "under the hood" and do the right things. The only reason I've not merged that in is that I'm still not 100% confident what to do reg the extension test in there.

[CAM-Gerlach]

As this is a security fix, I would think that could justify backporting assuming the issue is sufficiently serious relative to the potential disruption, though that is ultimately up to the RMs of course. Maybe just tag with the appropriate needs-backport labels to ensure they see it (since it will need to be an admin/RM to merge to those branches anyway)?

[ned-deily]

I don't want to backport this to 3.7. The last time we tried to update setuptools in older releases about a year ago, we ended up having to revert the backports because of various issues; see #91142. While some of those issues may have been fixed in newer versions of setuptools, I have verified that there is at least one test suite failure on 3.7 with the latest setuptools. And, for releases in the late stages of their security-fix-only life cycles, it seems to me that the usage of ensurepip should be minimal anyway. At this point, almost no users should be starting a first-time installation of 3.7, say, from scratch. They will almost certainly either be using a 3.7.x release from a third-party distributor who will have their own setuptools package or they will be updating an existing installation and will be managing additional packages, like setuptools, on their own.

[pradyunsg]

FWIW, I don't understand how/why the CVE is "high" severity since most sane configurations will not use setuptools' logic for parsing the index page anyway. 😅

[hugovk]

Setuptools was removed from 3.12 in #101039 so if it's decided this needs backporting to any of 3.11-3.8, that'll need a new PR.

A 3.7 backport was ruled out as too low benefit/high risk by the release manager: #102202 (comment).