This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: man page says -I implies -S. code says -s.
Type: Stage: resolved
Components: Documentation Versions: Python 3.4, Python 3.5
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: barry, christian.heimes, dhduvall, docs@python, jbeck, ned.deily, python-dev
Priority: normal Keywords: patch

Created on 2015-04-29 21:19 by jbeck, last changed 2022-04-11 14:58 by admin. This issue is now closed.

File name Uploaded Description Edit
25-site-module.patch jbeck, 2015-04-29 21:19 patch to get -I to imply -S and fixe side-effects
Messages (6)
msg242248 - (view) Author: John Beck (jbeck) Date: 2015-04-29 21:19
The man page for Python (3.4 and 3.5) says:

   -I     Run Python in isolated mode. This also implies  -E  and  -S.  In
          isolated  mode  sys.path  contains neither the scripts directory
          nor the users site-packages directory. All  PYTHON*  environment
          variables are ignored, too.  Further restrictions may be imposed
          to prevent the user from injecting malicious code.

But the code says:

-I     : isolate Python from the user's environment (implies -E and -s)

and the code to handle -I does:

        case 'I':

where Py_NoUserSiteDirectory is the variable corresponding to the -s flag
rather than the -S flag.  But it seems like -I should really imply both
-s and -S.  So I am filing this bug primarily to find out whether or not
it really should be both.  If so, great: a patch is attached; details
below.  But if not, then the man page should be corrected.

The rest of this is written under the assumption that -I should imply -S
as well as -s.

Background: depending on which packages are installed on different Solaris
systems, test_site passes or not.  Certain packages (e.g., dogpile.core,
dogpile.cache, repoze.lru) that have a .pth file with "import types"
which results in test_site.StartupImportTests failing because types has
been imported which is in the list of collections modules, none of which
are expected to be imported.  So we thought "well, -S should fix that"
then noticed the man page saying -I implied -S which is how we got here.

Tweaking the code and man page so -I does imply -S was trivial.  But three
other changes were needed:
1. In, test_startup_imports() asserted that 'site' was in the
   list of modules that had been imported.  This is no longer true, so I
   deleted the assert.
2. test_inspect failed because of a name error, that turned out to be calling exit instead of sys.exit.  So the attached patch
   corrects both of those.  This fix is probably generally applicable
   even if the "-I should imply both -S and -s" assumption turns out to
   be false.
3. test_venv failed because it and the venv module were using -I to imply
   -s and -E but not -S.  Changing three instances of "-Im" to "-Esm"
   (one in Lib/venv/, the other two in Lib/test/
   fixed this.  However, even if the "-I should imply both -S and -s"
   assumption is true, this change may not be desirable in the general
   case, but needed because of Solaris' hacky work-around for issue
   1298835 not yet being fixed.'

   I.e., we ship /usr/lib/python3.4/site-packages/vendor-packages.pth
   with the one line:
   import site; site.addsitedir('/usr/lib/python3.4/vendor-packages')
   (likewise for other versions).

   So this may not be desirable in general, but I mention it for the
   sake of completeness.
msg242249 - (view) Author: John Beck (jbeck) Date: 2015-04-29 21:29
Adding Christian Heimes to the nosy list; as the author of the fix for
issue 16499, he seems an excellent person to answer the question and
offer advice on the approaches discussed herein.
msg242250 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-04-29 21:39
The isolated mode implies -E (ignore env vars) and -s (don't add user site directory). The code and tests are correct, just the man page is wrong. The site module is still loaded in -I mode as it doesn't impose any security implications.

I'd looks like I made a typo in dd0d751cc7f1 and used upper case instead of lower case for
msg242251 - (view) Author: John Beck (jbeck) Date: 2015-04-29 21:46
Thank you very much for clarifying that.  I have updated the bug Title
msg242252 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-04-29 21:54
New changeset d774401879d8 by Ned Deily in branch '3.4':
Issue #24077: Fix typo in man page for -I command option: -s, not -S.

New changeset 493b3310d5d0 by Ned Deily in branch 'default':
Issue #24077: merge from 3.4
msg242253 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2015-04-29 21:55
Thanks for the report, John!
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68265
2015-04-29 21:59:26barrysetnosy: + barry
2015-04-29 21:55:24ned.deilysetstatus: open -> closed

nosy: + ned.deily
messages: + msg242253

resolution: fixed
stage: needs patch -> resolved
2015-04-29 21:54:00python-devsetnosy: + python-dev
messages: + msg242252
2015-04-29 21:46:43jbecksetmessages: + msg242251
title: man page says -I implies -S. code says -s. Should it be both? -> man page says -I implies -S. code says -s.
2015-04-29 21:43:55ned.deilysetassignee: docs@python

nosy: + docs@python
components: + Documentation, - Interpreter Core
stage: needs patch
2015-04-29 21:39:29christian.heimessetmessages: + msg242250
2015-04-29 21:29:11jbecksetnosy: + christian.heimes
messages: + msg242249
2015-04-29 21:19:52jbeckcreate