The pywin32 extensions require (well, prefer) administrative access during
installation - certain files are copied to the System32 directory and the
registry at HKEY_LOCAL_MACHINE is written to. Also, if I understand
correctly, if Python happened to be installed into "\Program Files", admin
access would be required to create any files in that directory tree - I'm
not sure what permissions the \PythonXX directory are created with, but its
not unreasable to assume that some shops might choose to secure that
directory similarly to "\Program Files".
The simplest way to achieve this for bdist_wininst installations is to
include some magic in a "manifest". I've confirmed that once this magic is
added, programs created by bdist_wininst get the little "shield" icon
overlay and prompt for elevation before starting the executable. A problem
here is that not all installations will require admin access - eg, a user
who installed Python just for themselves will not need elevation to install
an extension. A solution here would be for the installer to *not* be marked
as requiring elevation, then sniffing the registry to make an educated guess
(eg, HKLM\Software\Python\PythonCore\2.5 existing could indicate admin
access is required). If it finds elevation is required, it would spawn
another copy of itself with elevation requested, and terminate. This will
have a side-effect of meaning the installer never gets the "shield" overlay,
meaning the user will not be expecting to be prompted - but that is
something we can live with.
However, there is a complication here. Any "pure python" packages are not
tied to a particular Python version, so the user can choose what installed
Python version to use. Hence, in the general case, we can only determine if
admin is required after the UI has opened and the user has selected the
Python version. Arranging for the new "elevated" child process at this
point will be (a) ugly, as the UI will vanish before the child process
displays its GUI and (b) would require additional command-line processing
logic - ie, passing the target directory to the child process. If we could
make the determination *before* the GUI opens, it would appear seamless and
would not require special command-line handling (the child process just does
everything)
So I see a few alternatives, but none are very desirable:
* Only make this "admin required" check if a specific version of Python is
necessary (ie, the package contains extension modules). This would leave
pure-python packages out in the cold.
* Live with the ugly UI that would result in performing that check after the
Python version has been selected, and add the command-line processing
necessary to make this work.
* Ignore the issue and try to educate people that they must explicitly use
"Run as Administrator" for such packages on Vista.
I'm wondering if anyone has any opinions or thoughts on how we should handle
this?
Cheers,
Mark