Message 392887 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	FFY00
Recipients	FFY00, frenzy, hroncok, jaraco, petr.viktorin, steve.dower
Date	2021-05-04.12:55:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1620132921.12.0.908608661107.issue43976@roundup.psfhosted.org>
In-reply-to

Content
> My biggest concern is with the bare "import _vendor_config", which I'd prefer to have restricted to a fixed location, rather than being influenced by environment variables and other options. We already have an issue with readline being imported from anywhere it can be found. Oh, I share the same concern! Though users could already mess up Python pretty badly by shadowing/overwriting parts of it, so I didn't thought it would be that big of an issue. Is there a way to achieve this while still allowing us to do everything we want? > Sorry for not getting to this sooner, but 5 days is really tight for such a change. No worries. It was my fault, I should have been more attentive to the Python release timeline. > With -S/-I, It would be great if sys.path only included packages installed as part of the OS, and not those installed by `sudo pip`. (Or `pip --user`, but that's covered). Perhaps we could add an option to enable only vendor site schemes? > It seems that with the current patch, pip will install into site-packages and there's no way to disable/change site-packages. Is that the case? I mean, there is, though not as straightforward as -S/-I. I was planning on using it to build the distro entrypoint scripts, so that they only include the distro packages. $ python -S > site.addsitedir(sysconfig.get_path('purelib', 'vendor')) > site.addsitedir(sysconfig.get_path('platlib', 'vendor')) As I mentioned above, we could add a cli flag to do essentially the same.

> My biggest concern is with the bare "import _vendor_config", which I'd prefer to have restricted to a fixed location, rather than being influenced by environment variables and other options. We already have an issue with readline being imported from anywhere it can be found.

Oh, I share the same concern! Though users could already mess up Python pretty badly by shadowing/overwriting parts of it, so I didn't thought it would be that big of an issue. Is there a way to achieve this while still allowing us to do everything we want?

> Sorry for not getting to this sooner, but 5 days is really tight for such a change.

No worries. It was my fault, I should have been more attentive to the Python release timeline.

> With -S/-I, It would be great if sys.path only included packages installed as part of the OS, and not those installed by `sudo pip`. (Or `pip --user`, but that's covered).

Perhaps we could add an option to enable only vendor site schemes?

> It seems that with the current patch, pip will install into site-packages and there's no way to disable/change site-packages. Is that the case?

I mean, there is, though not as straightforward as -S/-I. I was planning on using it to build the distro entrypoint scripts, so that they only include the distro packages.

$ python -S
> site.addsitedir(sysconfig.get_path('purelib', 'vendor'))
> site.addsitedir(sysconfig.get_path('platlib', 'vendor'))

As I mentioned above, we could add a cli flag to do essentially the same.

History
Date	User	Action	Args
2021-05-04 12:55:21	FFY00	set	recipients: + FFY00, jaraco, petr.viktorin, steve.dower, hroncok, frenzy
2021-05-04 12:55:21	FFY00	set	messageid: <1620132921.12.0.908608661107.issue43976@roundup.psfhosted.org>
2021-05-04 12:55:21	FFY00	link	issue43976 messages
2021-05-04 12:55:20	FFY00	create