Message 361383 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Sam Clegg
Recipients	Sam Clegg, skoslowski, ssapin, steve.dower
Date	2020-02-05.00:08:07
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1580861287.71.0.443453397987.issue34841@roundup.psfhosted.org>
In-reply-to

Content
In our case we ended up stripping the .pth file and distributing that modified .zip files. I guess the main problem here is that its really not clear that this version of python doesn't work like the others, or needs to be modified before use. It can be very confusing to try to debug the resulting error message which for me was: ``` C:\Users\circleci\project\python\3.7.4_64bit\python.exe Traceback (most recent call last): File "C:\Users\circleci\project\upstream\emscripten\\emcc", line 6, in <module> from tools import python_selector ModuleNotFoundError: No module named 'tools' ``` For us we really want a non-interactive installation so a zip file made sense. We are embeddeding python within another SDK so it sounds like it is applicable. Maybe this is documented somewhere and I just missed it, but its certainly was a confusing difference from other distributions of python. What about adding some kind of startup message such as "This version of python requires local modification before using"? Also, I'm curious about the kind of security risk there is in including the script directory in sys.path? If an attacker had access to the script directory couldn't they just modify the script directly?

In our case we ended up stripping the .pth file and distributing that modified .zip files.

I guess the main problem here is that its really not clear that this version of python doesn't work like the others, or needs to be modified before use.   It can be very confusing to try to debug the resulting error message which for me was:

```
C:\Users\circleci\project\python\3.7.4_64bit\python.exe
Traceback (most recent call last):
  File "C:\Users\circleci\project\upstream\emscripten\\emcc", line 6, in <module>
    from tools import python_selector
ModuleNotFoundError: No module named 'tools'
```

For us we really want a non-interactive installation so a zip file made sense.   We are embeddeding python within another SDK so it sounds like it is applicable.

Maybe this is documented somewhere and I just missed it, but its certainly was a confusing difference from other distributions of python.   

What about adding some kind of startup message such as "This version of python requires local modification before using"?

Also, I'm curious about the kind of security risk there is in including the script directory in sys.path?   If an attacker had access to the script directory couldn't they just modify the script directly?

History
Date	User	Action	Args
2020-02-05 00:08:07	Sam Clegg	set	recipients: + Sam Clegg, ssapin, steve.dower, skoslowski
2020-02-05 00:08:07	Sam Clegg	set	messageid: <1580861287.71.0.443453397987.issue34841@roundup.psfhosted.org>
2020-02-05 00:08:07	Sam Clegg	link	issue34841 messages
2020-02-05 00:08:07	Sam Clegg	create