#2217 closed defect (somebody else's problem)
SandboxViolation: mkdir('/usr/lib/python2.7/site-packages/cryptography/hazmat/bindings/__pycache__', 511) {}
| Reported by: | aredridel | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | packaging | Version: | 1.10.0 |
| Keywords: | setuptools distribute build cffi cryptography | Cc: | |
| Launchpad Bug: |
Description
Searching for Nevow>=0.6.0
Reading http://pypi.python.org/simple/Nevow/
Best match: Nevow 0.10.0
Processing Nevow-0.10.0.tar.gz
Running Nevow-0.10.0/setup.py -q bdist_egg --dist-dir /home/users/aredridel/tmp/easy_install-5DXjsN/Nevow-0.10.0/egg-dist-tmp-_Y38Ne
/usr/lib/python2.7/site-packages/zope/interface/interface.py:548: UserWarning: Hashing uninitialized InterfaceClass instance
error: SandboxViolation: mkdir('/usr/lib/python2.7/site-packages/cryptography/hazmat/bindings/__pycache__', 511) {}
The package setup script has attempted to modify files on your system
that are not within the EasyInstall build area, and has been aborted.
This package cannot be safely installed by EasyInstall, and may not
support alternate installation locations even if you run its setup
script by hand. Please inform the package's author and the EasyInstall
maintainers to find out if a fix or workaround is available.
Change History (32)
comment:1 Changed at 2014-04-11T22:06:28Z by zooko
- Owner set to aredridel
- Summary changed from Build error with Nevow to SandboxViolation: mkdir('/usr/lib/python2.7/site-packages/cryptography/hazmat/bindings/__pycache__', 511) {}
comment:2 Changed at 2014-04-11T22:07:45Z by zooko
Hm, yeah, according to https://bitbucket.org/tarek/distribute/src/3bf82d0cbc6e0a6d383f177c4def1222f3c3ba46/CHANGES.txt?at=default that should have been fixed as far back as Distribute 0.6. So I guess it isn't *exactly* that. Maybe we could open a new ticket on Distribute?
comment:3 follow-up: ↓ 11 Changed at 2014-04-11T22:33:59Z by zooko
Hm, you know, that error message actually seems kind of legit:
"The package setup script has attempted to modify files on your system that are not within the EasyInstall build area, and has been aborted."
Did you authorize some process to write into your system directories (e.g. /usr/lib/python2.7/site-packages/) when you ran the command that resulted in the above error message? What *was* that command? Could you please paste in the command and the entire output from it?
comment:4 Changed at 2014-04-11T23:47:56Z by daira
Despite appearances, I think this has nothing to do with Nevow; it's just that there isn't a clear boundary in the output between building Nevow, and building cryptography.
comment:5 Changed at 2014-04-11T23:51:40Z by daira
- Keywords setuptools distribute build added
comment:6 Changed at 2014-04-11T23:59:33Z by daira
Ah, possibly the reason why this appears in the Nevow build section is that cryptography is a dependency of pyOpenSSL (>= 0.14), which is a dependency of Twisted, which is a dependency of Nevow.
comment:7 Changed at 2014-04-12T00:11:59Z by daira
<zooko> daira: I really feel like we should require pyOpenSSL <= 0.13 until this whole CFFI thing has been more worked out.
<daira> okay, in that case we need exactly pyOpenSSL==0.13
<daira> because the API to get the OpenSSL version [in order to fix #2215] was only added in 0.13
[...]
<daira> note that this line will need to be changed to include pyOpenSSL:
<daira> https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/setup.py#L134
<daira> it should be:
<daira> setup_requires += [req for req in install_requires if req.startswith('Twisted') or req.startswith('pyOpenSSL') or req.startswith('zope.interface')]
<daira> otherwise setuptools/distribute might attempt to satisfy the setup-time dependency of Nevow->Twisted->pyOpenSSL using pyOpenSSL >= 0.14
comment:8 follow-up: ↓ 9 Changed at 2014-04-12T02:10:02Z by zooko
Judging from https://twistedmatrix.com/trac/browser/trunk/setup.py, Twisted doesn't currently depend on pyOpenSSL.
comment:9 in reply to: ↑ 8 Changed at 2014-04-12T10:12:10Z by daira
Replying to zooko:
Judging from https://twistedmatrix.com/trac/browser/trunk/setup.py, Twisted doesn't currently depend on pyOpenSSL
So it doesn't. Then I'm confused: why wasn't there any output between the building of Nevow and the error due to attempting to build cryptography?
comment:10 Changed at 2014-04-14T21:12:13Z by daira
- Keywords cffi cryptography added
Oh! I bet the thing that is failing is the generation of cffi bindings. But then how does installing (as opposed to building) a package with cffi bindings using setuptools ever work?
comment:11 in reply to: ↑ 3 Changed at 2014-04-14T21:14:14Z by daira
Replying to zooko:
Did you authorize some process to write into your system directories (e.g. /usr/lib/python2.7/site-packages/) when you ran the command that resulted in the above error message? What *was* that command? Could you please paste in the command and the entire output from it?
aredridel, we really need this information in order to progress further with this bug.
comment:12 Changed at 2014-04-14T21:15:26Z by aredridel
Complete output including command:
:; python setup.py build
running update_version
no version-control data found, leaving _version.py alone
running develop
Not found: tahoe-deps
Not found: ../tahoe-deps
running egg_info
writing requirements to src/allmydata_tahoe.egg-info/requires.txt
writing src/allmydata_tahoe.egg-info/PKG-INFO
writing top-level names to src/allmydata_tahoe.egg-info/top_level.txt
writing dependency_links to src/allmydata_tahoe.egg-info/dependency_links.txt
writing entry points to src/allmydata_tahoe.egg-info/entry_points.txt
writing requirements to src/allmydata_tahoe.egg-info/requires.txt
writing src/allmydata_tahoe.egg-info/PKG-INFO
writing top-level names to src/allmydata_tahoe.egg-info/top_level.txt
writing dependency_links to src/allmydata_tahoe.egg-info/dependency_links.txt
writing entry points to src/allmydata_tahoe.egg-info/entry_points.txt
package init file 'src/allmydata/web/static/__init__.py' not found (or not a regular file)
package init file 'src/allmydata/web/static/css/__init__.py' not found (or not a regular file)
reading manifest file 'src/allmydata_tahoe.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*~' found anywhere in distribution
writing manifest file 'src/allmydata_tahoe.egg-info/SOURCES.txt'
running build_ext
Processing setuptools-0.6c16dev4.egg
removing '/home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/setuptools-0.6c16dev4.egg' (and everything under it)
Copying setuptools-0.6c16dev4.egg to /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages
setuptools 0.6c16dev4 is already the active version in easy-install.pth
Installing easy_install_z-2.6 script to support/bin
Installing easy_install_z script to support/bin
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/setuptools-0.6c16dev4.egg
Creating /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/allmydata-tahoe.egg-link (link to src)
allmydata-tahoe 1.10.0 is already the active version in easy-install.pth
Installing tahoe script to support/bin
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/src
Processing dependencies for allmydata-tahoe==1.10.0
Searching for Nevow>=0.6.0
Reading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-sdists/
Reading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-eggs/
Best match: Nevow 0.10.0
Downloading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-eggs/Nevow-0.10.0.tar.bz2
Processing Nevow-0.10.0.tar.bz2
Running Nevow-0.10.0/setup.py -q bdist_egg --dist-dir /home/users/aredridel/tmp/easy_install-XS2kO7/Nevow-0.10.0/egg-dist-tmp-wGVHsQ
/usr/lib/python2.7/site-packages/zope/interface/interface.py:548: UserWarning: Hashing uninitialized InterfaceClass instance
error: SandboxViolation: mkdir('/usr/lib/python2.7/site-packages/cryptography/hazmat/bindings/__pycache__', 511) {}
The package setup script has attempted to modify files on your system
that are not within the EasyInstall build area, and has been aborted.
This package cannot be safely installed by EasyInstall, and may not
support alternate installation locations even if you run its setup
script by hand. Please inform the package's author and the EasyInstall
maintainers to find out if a fix or workaround is available.
comment:13 follow-up: ↓ 18 Changed at 2014-04-14T21:15:49Z by aredridel
This is as an unprivileged user, without write access to the system install locations.
comment:14 Changed at 2014-04-14T21:21:49Z by daira
- Owner changed from aredridel to daira
- Status changed from new to assigned
Thanks.
comment:15 Changed at 2014-04-14T21:36:48Z by daira
It's possible that using a more recent version of setuptools at build time would help (#2044).
comment:16 Changed at 2014-04-14T21:43:40Z by zooko
It has to do with cffi, so a sufficient work-around for this, and probably many other issues, is to limit our dependency on pyOpenSSL to be ≤ 0.13. (Because pyOpenSSL v0.13 didn't use cffi and the cryptography.io library and many other things.)
aredridel: would you be so kind as to try this for us? You'd need to patch your Tahoe-LAFS source distribution by editing src/allmydata/_auto_deps.py and change "pyOpenSSL" to "pyOpenSSL <= 0.13".
comment:17 Changed at 2014-04-14T23:59:12Z by aredridel
Hm. No dice. I started from a clean unpack of allmydata-tahoe-1.10.0, changed "pyOpenSSL" to "pyOpenSSL <= 0.13" and got this:
:; python setup.py build
Not found: tahoe-deps
Not found: ../tahoe-deps
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/Twisted-12.2.0-py2.7-linux-i686.egg
running update_version
no version-control data found, leaving _version.py alone
running develop
Not found: tahoe-deps
Not found: ../tahoe-deps
running egg_info
writing requirements to src/allmydata_tahoe.egg-info/requires.txt
writing src/allmydata_tahoe.egg-info/PKG-INFO
writing top-level names to src/allmydata_tahoe.egg-info/top_level.txt
writing dependency_links to src/allmydata_tahoe.egg-info/dependency_links.txt
writing entry points to src/allmydata_tahoe.egg-info/entry_points.txt
writing requirements to src/allmydata_tahoe.egg-info/requires.txt
writing src/allmydata_tahoe.egg-info/PKG-INFO
writing top-level names to src/allmydata_tahoe.egg-info/top_level.txt
writing dependency_links to src/allmydata_tahoe.egg-info/dependency_links.txt
writing entry points to src/allmydata_tahoe.egg-info/entry_points.txt
package init file 'src/allmydata/web/static/__init__.py' not found (or not a regular file)
package init file 'src/allmydata/web/static/css/__init__.py' not found (or not a regular file)
reading manifest file 'src/allmydata_tahoe.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*~' found anywhere in distribution
writing manifest file 'src/allmydata_tahoe.egg-info/SOURCES.txt'
running build_ext
Creating /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/site.py
Processing setuptools-0.6c16dev4.egg
Copying setuptools-0.6c16dev4.egg to /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages
Adding setuptools 0.6c16dev4 to easy-install.pth file
Installing easy_install_z-2.6 script to support/bin
Installing easy_install_z script to support/bin
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/setuptools-0.6c16dev4.egg
Creating /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/allmydata-tahoe.egg-link (link to src)
Adding allmydata-tahoe 1.10.0 to easy-install.pth file
Installing tahoe script to support/bin
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/src
Processing dependencies for allmydata-tahoe==1.10.0
Searching for pycryptopp>=0.6.0
Reading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-sdists/
Reading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-eggs/
Best match: pycryptopp 0.6.0.1206569328141510525648634803928199668821045408958
Downloading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-eggs/pycryptopp-0.6.0.1206569328141510525648634803928199668821045408958-py2.7-linux-i686.egg
Processing pycryptopp-0.6.0.1206569328141510525648634803928199668821045408958-py2.7-linux-i686.egg
creating /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/pycryptopp-0.6.0.1206569328141510525648634803928199668821045408958-py2.7-linux-i686.egg
Extracting pycryptopp-0.6.0.1206569328141510525648634803928199668821045408958-py2.7-linux-i686.egg to /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages
Adding pycryptopp 0.6.0.1206569328141510525648634803928199668821045408958 to easy-install.pth file
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/pycryptopp-0.6.0.1206569328141510525648634803928199668821045408958-py2.7-linux-i686.egg
Searching for mock>=0.8.0
Reading http://pypi.python.org/simple/mock/
Best match: mock 1.0.1
Downloading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-sdists/mock-1.0.1.tar.gz
Processing mock-1.0.1.tar.gz
Running mock-1.0.1/setup.py -q bdist_egg --dist-dir /home/users/aredridel/tmp/easy_install-UxieV4/mock-1.0.1/egg-dist-tmp-rmnR94
warning: no files found matching '*.png' under directory 'docs'
warning: no files found matching '*.css' under directory 'docs'
warning: no files found matching '*.html' under directory 'docs'
warning: no files found matching '*.js' under directory 'docs'
zip_safe flag not set; analyzing archive contents...
Adding mock 1.0.1 to easy-install.pth file
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/mock-1.0.1-py2.7.egg
Searching for pyasn1>=0.0.8a
Reading http://pypi.python.org/simple/pyasn1/
Best match: pyasn1 0.1.7
Downloading https://pypi.python.org/packages/2.7/p/pyasn1/pyasn1-0.1.7-py2.7.egg#md5=15f079cabee01402bf86ca8b83356469
Processing pyasn1-0.1.7-py2.7.egg
creating /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/pyasn1-0.1.7-py2.7.egg
Extracting pyasn1-0.1.7-py2.7.egg to /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages
Adding pyasn1 0.1.7 to easy-install.pth file
Installed /home/users/aredridel/allmydata-tahoe-1.10.0/support/lib/python2.7/site-packages/pyasn1-0.1.7-py2.7.egg
Searching for Nevow>=0.6.0
Reading http://pypi.python.org/simple/Nevow/
Best match: Nevow 0.10.0
Downloading https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-lafs-dep-eggs/Nevow-0.10.0.tar.bz2
Processing Nevow-0.10.0.tar.bz2
Running Nevow-0.10.0/setup.py -q bdist_egg --dist-dir /home/users/aredridel/tmp/easy_install-S4fHff/Nevow-0.10.0/egg-dist-tmp-nPwwPz
/usr/lib/python2.7/site-packages/zope/interface/interface.py:548: UserWarning: Hashing uninitialized InterfaceClass instance
error: SandboxViolation: mkdir('/usr/lib/python2.7/site-packages/cryptography/hazmat/bindings/__pycache__', 511) {}
The package setup script has attempted to modify files on your system
that are not within the EasyInstall build area, and has been aborted.
This package cannot be safely installed by EasyInstall, and may not
support alternate installation locations even if you run its setup
script by hand. Please inform the package's author and the EasyInstall
maintainers to find out if a fix or workaround is available.
comment:18 in reply to: ↑ 13 Changed at 2014-04-15T01:17:45Z by daira
Replying to aredridel:
This is as an unprivileged user, without write access to the system install locations.
Hmm. It's not clear what would have happened had the setuptools sandbox not prevented the access; i.e. whether it would have failed anyway due to lack of OS-level file permissions, or whether cffi would have fallen back to just not using the cache.
comment:19 Changed at 2014-04-15T01:19:55Z by daira
The fact that this still happens with pyOpenSSL <= 0.13 as the requirement is really confusing. I don't know what else could be depending on cryptography.
comment:20 Changed at 2014-04-15T12:07:07Z by zooko
Yeah, I wonder if aredridel accidentally built a copy that *didn't* have the pyOpenSSL dependency fixed to <= 0.13? Because other than pyOpenSSL 0.14, I don't think anything else depends on the cryptography.io library.
comment:21 Changed at 2014-04-15T12:13:56Z by zooko
Here is a way to find out what package(s) depend on the cryptography library:
python -c 'import pkg_resources;print pkg_resources.require("pyOpenSSL <= 0.13")'
That should print out all the packages that "pyOpenSSL <= 0.13" depends on. You can also do the same thing for the other packages from src/allmydata/_auto_deps.py, like this:
python -c 'import pkg_resources;print pkg_resources.require("Twisted >= 11.0.0")'
and
python -c 'import pkg_resources;print pkg_resources.require("foolscap >= 0.6.3")'
I'd guess that Twisted and foolscap are two other libraries that *might* somehow depend on the "cryptography.io" library.
comment:22 follow-up: ↓ 23 Changed at 2014-04-15T13:29:13Z by aredridel
:; python -c 'import pkg_resources;print pkg_resources.require("pyOpenSSL <= 0.13")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/share/python2.7/site-packages/pkg_resources.py", line 696, in require
File "/usr/share/python2.7/site-packages/pkg_resources.py", line 598, in resolve
pkg_resources.VersionConflict: (pyOpenSSL 0.14 (/usr/share/python2.7/site-packages), Requirement.parse('pyOpenSSL<=0.13'))
:; python -c 'import pkg_resources;print pkg_resources.require("Twisted >= 11.0.0")'
[Twisted 12.2.0 (/home/users/aredridel/allmydata-tahoe-1.10.0/Twisted-12.2.0-py2.7-linux-i686.egg), zope.interface 4.0.3 (/usr/lib/python2.7/site-packages), distribute 0.6.36 (/usr/share/python2.7/site-packages)]
aredridel@mizar:allmydata-tahoe-1.10.0
:; python -c 'import pkg_resources;print pkg_resources.require("foolscap >= 0.6.3")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/share/python2.7/site-packages/pkg_resources.py", line 696, in require
File "/usr/share/python2.7/site-packages/pkg_resources.py", line 594, in resolve
pkg_resources.DistributionNotFound: foolscap>=0.6.3
comment:23 in reply to: ↑ 22 ; follow-up: ↓ 24 Changed at 2014-04-15T15:15:00Z by zooko
Replying to aredridel:
pkg_resources.VersionConflict: (pyOpenSSL 0.14 (/usr/share/python2.7/site-packages), Requirement.parse('pyOpenSSL<=0.13'))
Urrrrgh. Okay, this explains it. I think. Actually only partially. The thing is, this appears to be saying that you already have pyOpenSSL 0.14 installed in your system. Okay, fine, that explains why builds of the cryptography.io library/hazmat library are triggered when you build Tahoe-LAFS. Except, actually it totally doesn't because:
- Why is it trying to write a cache file into your read-only system-wide filesystem if it is already installed?
- Why is it doing anything with pyOpenSSL 0.14 when we've already specified that pyOpenSSL 0.14 is unacceptable for our version requirements?
Sigh, okay, so this suggests a workaround that you can do: remove pyOpenSSL (0.14) from your system and see if that gets past your problem. However, I will feel guilty if we do not report these issues to someone who can do something about them, to help the next user who comes after you. I'm not 100% sure who that would be, though. Who can do something about Python packaging madness? ☹
comment:24 in reply to: ↑ 23 ; follow-ups: ↓ 25 ↓ 32 Changed at 2014-04-15T16:27:10Z by zooko
Okay I asked dstufft and others on IRC and I think I understand answers to these:
Replying to zooko:
- Why is it trying to write a cache file into your read-only system-wide filesystem if it is already installed?
I suspect that this is because cffi tries to build hazmat as a side-effect of someone trying to import pyOpenSSL.
- Why is it doing anything with pyOpenSSL 0.14 when we've already specified that pyOpenSSL 0.14 is unacceptable for our version requirements?
I suspect that this is because pkg_resources tries to import "OpenSSL" as a side-effect of trying to check what version(s) of pyOpenSSL are available.
aridredel: please go ahead and remove pyOpenSSL 0.14 from your system, and test the patch with "pyOpenSSL <= 0.13". Thank you very much for your help!
comment:25 in reply to: ↑ 24 ; follow-up: ↓ 29 Changed at 2014-04-15T16:36:08Z by zooko
Replying to zooko:
Okay I asked dstufft and others on IRC and I think I understand answers to these:
Replying to zooko:
- Why is it trying to write a cache file into your read-only system-wide filesystem if it is already installed?
I suspect that this is because cffi tries to build hazmat as a side-effect of someone trying to import pyOpenSSL.
They intend to change cffi for the upcoming cffi v1.0 to stop doing this -- doing "build" stuff automatically at import-time: https://groups.google.com/d/msg/python-cffi/L9ngHcpRJMU/7Y3CrZg-tn0J
comment:26 Changed at 2014-04-15T17:19:22Z by aredridel
:; sudo rpm -e python-pyOpenSSL-0.14-1.i686 python-TwistedCore-ssl-13.0.0-1.i686
coming up!
comment:27 Changed at 2014-04-15T17:19:59Z by aredridel
And Huzzah! Success!
:; make . . . . touch .built
comment:28 follow-up: ↓ 30 Changed at 2014-04-15T17:20:47Z by aredridel
:; bin/tahoe --version allmydata-tahoe: 1.10.0 foolscap: 0.6.4 pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958 zfec: 1.4.24 Twisted: 12.2.0 Nevow: 0.10.0 zope.interface: unknown python: 2.7.6 platform: Linux-PLD_3.0-i686-32bit_ELF pyOpenSSL: 0.13 simplejson: 3.0.8 pycrypto: 2.6.1 pyasn1: 0.1.7 mock: 1.0.1 setuptools: 0.6c16dev4
comment:29 in reply to: ↑ 25 Changed at 2014-04-15T17:23:35Z by zooko
Replying to zooko:
They intend to change cffi for the upcoming cffi v1.0 to stop doing this -- doing "build" stuff automatically at import-time: https://groups.google.com/d/msg/python-cffi/L9ngHcpRJMU/7Y3CrZg-tn0J
Here's a ticket to track the progress of that change to cffi: https://bitbucket.org/cffi/cffi/issue/109/enable-sane-packaging-for-cffi
comment:30 in reply to: ↑ 28 Changed at 2014-04-15T17:24:14Z by zooko
Yay! Thank you for your help.
comment:31 Changed at 2014-04-15T17:37:48Z by zooko
- Resolution set to somebody else's problem
- Status changed from assigned to closed
comment:32 in reply to: ↑ 24 Changed at 2014-04-16T13:44:23Z by daira
Replying to zooko:
Replying to zooko:
- Why is it trying to write a cache file into your read-only system-wide filesystem if it is already installed?
I suspect that this is because cffi tries to build hazmat as a side-effect of someone trying to import pyOpenSSL.
No, the OpenSSL module is not imported at build time. (It would be easy to verify this.) The OpenSSL package is certainly imported by Tahoe-LAFS code at run-time (quite early, in order to check the version). I suspect it's because cffi installs some hook that is invoked when a package depending on it is built. But if that hook attempts to write to system areas of the filesystem, it is just completely broken and cannot work for builds done as an unprivileged user.
Oookay. Let's see… possibly related to http://bugs.python.org/setuptools/issue23 which was ported into Distribute in https://bitbucket.org/tarek/distribute/issue/13 . Your "show-tool-versions" output from a previous bug report (https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2216#comment:3) indicates that you have "setuptools: [distribute 0.6.36 (/usr/share/python2.7/site-packages)]". So, I wonder if distribute 0.6.36 has the patch from https://bitbucket.org/tarek/distribute/issue/13 ?