On 20 September 2016 at 13:58, Random832 <random832@fastmail.com> wrote:
On Tue, Sep 20, 2016, at 07:12, אלעזר wrote:
Moreover, being able to do it programmatically is a security risk, since it requires elevated privileges that I don't know how to drop, and most people will not think about doing, but a library implementation will.
Maybe we should be thinking about why pip requires elevated privileges.
I'm not sure to what extent this was a rhetorical question, but basically because, by default pip installs into the Python installation directory, and if the user is running a system Python, that directory is only modifiable by an admin. You can use --user to make pip install into the user's site-packages. But that's not the default, and the proposal didn't discuss supplying any non-default options to pip. Pip could be changed to make the default --user, but that's not happened yet (and there are some compatibility issues holding it up). And even ignoring that, what about *other* pip options that might be needed (for example, specifying a proxy, or a non-default certificate store)? There's no capability to specify them in the proposal. Paul.