Message 392832 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	FFY00, frenzy, hroncok, jaraco, steve.dower
Date	2021-05-03.18:43:58
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1620067438.43.0.246652023222.issue43976@roundup.psfhosted.org>
In-reply-to

Content
Yes, I saw some of the latest changes in the PR. My biggest concern is with the bare "import _vendor_config", which I'd prefer to have restricted to a fixed location, rather than being influenced by environment variables and other options. We already have an issue with readline being imported from anywhere it can be found. A native flag to suppress it (i.e. something in sys.flags) could also become important for embedders, though it may matter more at a higher level (i.e. should an embedded CPython ever be using sysconfig? Probably not...). I wouldn't add a new flag for it right now, but I feel like sys.flags.isolated should probably imply that this should be ignored. Though then we hit the issue again that these patches are about changing the "safe default" behaviour, which is what you want to get back when you run with -S or -I. And I'm not totally sure how to resolve this. So basically, my concerns are: * don't import arbitrary files * ensure -S/-I options remain useful (or become even more useful)

Yes, I saw some of the latest changes in the PR.

My biggest concern is with the bare "import _vendor_config", which I'd prefer to have restricted to a fixed location, rather than being influenced by environment variables and other options. We already have an issue with readline being imported from anywhere it can be found.

A native flag to suppress it (i.e. something in sys.flags) could also become important for embedders, though it may matter more at a higher level (i.e. should an embedded CPython *ever* be using sysconfig? Probably not...). I wouldn't add a new flag for it right now, but I feel like sys.flags.isolated should probably imply that this should be ignored.

Though then we hit the issue again that these patches are about changing the "safe default" behaviour, which is what you want to get back when you run with -S or -I. And I'm not totally sure how to resolve this.

So basically, my concerns are:
* don't import arbitrary files
* ensure -S/-I options remain useful (or become even more useful)

History
Date	User	Action	Args
2021-05-03 18:43:58	steve.dower	set	recipients: + steve.dower, jaraco, hroncok, frenzy, FFY00
2021-05-03 18:43:58	steve.dower	set	messageid: <1620067438.43.0.246652023222.issue43976@roundup.psfhosted.org>
2021-05-03 18:43:58	steve.dower	link	issue43976 messages
2021-05-03 18:43:58	steve.dower	create