Author steve.dower
Recipients Anthony Sottile, blueyed, eryksun, jaraco, lazka, miss-islington, paul.moore, steve.dower, tim.golden, zach.ware
Date 2020-05-16.09:21:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1589620892.89.0.753821223174.issue36264@roundup.psfhosted.org>
In-reply-to
Content
Really, we shouldn't be using any environment variables on Windows here, because they open up too many security risks. There are API calls that are canonical, but the environment vars are compatibility helpers.

Breakage due to HOME being overridden is serious because it won't show up in any other cases - Python will be the first to suffer the consequences, which means we are facing a targeted exploit. Not really much choice but to fix it (though there was a choice whether to release a security advisory or not... ;-) )

The documentation was definitely updated, and it was in NEWS, but you're right there was no DeprecationWarning, not that we'd have been able to show it to most impacted library developers anyway.

Perhaps the best approach for the sake of POSIX compatibility is to set HOME on startup to the correct value? It won't normally be set, so anyone using it is likely broken on Windows, but if we make it valid then everyone can just rely on it?
History
Date User Action Args
2020-05-16 09:21:32steve.dowersetrecipients: + steve.dower, paul.moore, jaraco, blueyed, tim.golden, zach.ware, eryksun, lazka, Anthony Sottile, miss-islington
2020-05-16 09:21:32steve.dowersetmessageid: <1589620892.89.0.753821223174.issue36264@roundup.psfhosted.org>
2020-05-16 09:21:32steve.dowerlinkissue36264 messages
2020-05-16 09:21:32steve.dowercreate