The man page for Python (3.4 and 3.5) says:
-I Run Python in isolated mode. This also implies -E and -S. In
isolated mode sys.path contains neither the scripts directory
nor the users site-packages directory. All PYTHON* environment
variables are ignored, too. Further restrictions may be imposed
to prevent the user from injecting malicious code.
But the code says:
-I : isolate Python from the user's environment (implies -E and -s)
and the code to handle -I does:
case 'I':
Py_IsolatedFlag++;
Py_NoUserSiteDirectory++;
Py_IgnoreEnvironmentFlag++;
break;
where Py_NoUserSiteDirectory is the variable corresponding to the -s flag
rather than the -S flag. But it seems like -I should really imply both
-s and -S. So I am filing this bug primarily to find out whether or not
it really should be both. If so, great: a patch is attached; details
below. But if not, then the man page should be corrected.
The rest of this is written under the assumption that -I should imply -S
as well as -s.
Background: depending on which packages are installed on different Solaris
systems, test_site passes or not. Certain packages (e.g., dogpile.core,
dogpile.cache, repoze.lru) that have a .pth file with "import types"
which results in test_site.StartupImportTests failing because types has
been imported which is in the list of collections modules, none of which
are expected to be imported. So we thought "well, -S should fix that"
then noticed the man page saying -I implied -S which is how we got here.
Tweaking the code and man page so -I does imply -S was trivial. But three
other changes were needed:
1. In test_site.py, test_startup_imports() asserted that 'site' was in the
list of modules that had been imported. This is no longer true, so I
deleted the assert.
2. test_inspect failed because of a name error, that turned out to be
inspect.py calling exit instead of sys.exit. So the attached patch
corrects both of those. This fix is probably generally applicable
even if the "-I should imply both -S and -s" assumption turns out to
be false.
3. test_venv failed because it and the venv module were using -I to imply
-s and -E but not -S. Changing three instances of "-Im" to "-Esm"
(one in Lib/venv/__init__.py, the other two in Lib/test/test_venv.py)
fixed this. However, even if the "-I should imply both -S and -s"
assumption is true, this change may not be desirable in the general
case, but needed because of Solaris' hacky work-around for issue
1298835 not yet being fixed.'
I.e., we ship /usr/lib/python3.4/site-packages/vendor-packages.pth
with the one line:
import site; site.addsitedir('/usr/lib/python3.4/vendor-packages')
(likewise for other versions).
So this may not be desirable in general, but I mention it for the
sake of completeness.
|