[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Python 3.4 and ensurepip (rehashed, long)



On Mar 26, 2014, at 10:35 AM, Barry Warsaw <barry@debian.org> wrote:

> On Mar 26, 2014, at 09:24 AM, Donald Stufft wrote:
> 
>> In my half formed idea in my head the way it’d work is there’d be a
>> vendor-packages directory where downstream can install things to, and a flag
>> to the interpreter to remove the typical site-packages. So then you’d get
>> something like:
>> 
>>   python -I —no-site-packages -m something
> 
> There has to be a short option for --no-site-packages (or whatever) so that it
> will work with shebang lines, where we already recommend -Es.

Yea I just didn’t feel like thinking up a short option :)

>  But also, -I
> should imply this new option for full isolation.

Not sure about this, I don’t think I saw the original discussion but it looks like
-I is to prevent the user from injecting malicious code (so it removes env vars,
the user site packages, the current dir, etc). I don’t think that something
installed by pip by the system administrator falls under that.

> 
> Which means for Python 3.4 and beyond we should be recommending system
> services and scripts add -I to the shebang line instead of -Es.  Then we'd get
> this new /usr/local isolation switch for free.
> 
> -Barry


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Reply to: