Allow version or version range of setuptools to be specified

[rzuckerm]

When a package does not have the necessary build-system configuration item in its pyproject.toml, or the package doesn't have a pyproject.toml, build returns an a requirement of setuptools >= 40.8.0 (https://github.com/pypa/build/blob/main/src/build/_builder.py#L33-L36). This can cause build reproducibility issues where the version of setuptools is allowed to float. This was particularly an issue when setuptools 78.0.1 was released. Some of out builds broke because of that.

It would be nice if it were possible to provide a specific version or version range for setuptools, preferably through an environment variable. The reason why an environment variable is appealing is that the problem was first noticed while using poetry (which we use as our package management system), and since we're using poetry 1.x, I don't think we could get the poetry maintainers to add a feature for usl

[henryiii]

Currently, you can set a constraint file, though that's specific to the backend. It also works transitively that way, since any dependency might need to be built, which then triggers another backend build. You use PIP_CONSTRAINT or UV_CONSTRAINT, depending on which backend you are using. (IIRC, UV_BUILD_CONSTRAINT exists and would trigger for any nested builds, while pip just has the one universal one)

[rzuckerm]

This is for poetry. They don't have an environment variable for this, and they don't honor PIP_CONSTRAINT since they don't use pip.

[layday]

AFAIK poetry uses pip for installation. Did you try it and did it not work?

[rzuckerm]

poetry used to use pip for installation, but it does not anymore.

[layday]

Closing as duplicate of #292.