[Python-Dev] Compile-time resolution of packages [Was: Another update for PEP 394...] (original) (raw)

Petr Viktorin encukou at gmail.com
Fri Mar 1 05:41:03 EST 2019

On 2/28/19 6:56 PM, Gregory P. Smith wrote:

On Wed, Feb 27, 2019 at 5:12 PM Toshio Kuratomi <a.badger at gmail.com_ _<mailto:a.badger at gmail.com>> wrote:

On Tue, Feb 26, 2019 at 2:07 PM Neil Schemenauer <nas-python at arctrix.com <mailto:nas-python at arctrix.com>> wrote: On 2019-02-26, Gregory P. Smith wrote: > On Tue, Feb 26, 2019 at 9:55 AM Barry Warsaw <barry at python.org <mailto:barry at python.org>> wrote: > For an OS distro provided interpreter, being able to restrict its use to > only OS distro provided software would be ideal (so ideal that people who > haven't learned the hard distro maintenance lessons may hate me for it). This idea has some definite problems.  I think enforcing it via convention is about as much as would be good to do.  Anything more and you make it hard for people who really need to use the vendor provided interpreter from being able to do so. Why might someone need to use the distro provided interpreter? * Vendor provides some python modules in their system packages which are not installable from pip (possibly even a proprietary extension module, so not even buildable from source or copyable from the system location) which the end user needs to use to do something to their system. * End user writes a python module which is a plugin to a system tool which has to be installed into the system python to from which that system tool runs.  The user then wants to write a script which uses the system tool with the plugin in order to do something to their system outside of the system tool (perhaps the system tool is GUI-driven and the user wants to automate a part of it via the python module).  They need their script to use the system python so that they are using the same code as the system tool itself would use. There's probably other scenarios where the benefits of locking the user out of the system python outweigh the benefits but these are the ones that I've run across lately. Agreed.  The convention approach as someone said RHEL 8 has apparently done with an os distro reserved interpreter (yay) is likely good enough for most situations. I'd go a /little/ further than that and suggest such an os distro reserved interpreter attempt to prevent installation of packages (ie: remove pip/ensurepip/distutils) via any other means than the OS package manager (rpms, debs).  Obviously that can't actually prevent someone from figuring out how to run getpip or manually installing trees of packages within its sys.path, but it acts as a deterrent suggesting that this interpreter is not intended for arbitrary software installation.

Currently, in RHEL/Fedora:

What remains to tie this together is making "platform-python" always run with -I. This is PEP 432's "system-python" use case / design goal. (The RHEL/Fedora platform-python was initially called system-python. We renamed to it so it doesn't clash with the PEP. It's the same use case, but we don't want to assign semantics to the name prematurely. Cutrrently, system-python is waiting for the larger-scale restructuring, and hopefully wider/longer discussion.)

More information about the Python-Dev mailing list