Thanks, Cameron Simpson, for the feedback!
The security issue you mentioned is something really serious I didn't really think about. I usually do this a lot for my side projects and random stuff I automate. Hence suggested this.
Again, thanks for taking your time.
On Mon, Jul 8, 2019 at 1:14 PM Cameron Simpson email@example.com wrote:
On 08Jul2019 11:40, Siddharth Prajosh firstname.lastname@example.org wrote:
Hey all, after this talk <
on how useful standard libraries are this has been in talks in multiple channels. I just wanted to present my idea on the same.
Why not keep the essentials (ensurepip) and strip off everything else.
someone imports a package like datetime, we can catch the error (ImportError) and install it. Or something similar.
Are you thinking this happens at runtime? And is your objective to ship a much smaller Python standard library and load whatever is actually required as discovered?
The usual difficulty is that there's no general way to fetch packages in every environment. For the obvious case: the offline environment, with no network access.
Another trickiness is that while we usually try to not conditionally
import stuff, sometimes that happens. Which means you might run your programme and autoimport most things, but still miss something which only gets imported in a special circumstance.
_However_, there's something to be said for the convenience.
Had you considered writing a module which plugs into the import machinery to auto-pip-install on ImportError? Then you could test your ideas.
Finally, there's some security considerations.
A prize cause for an import error is simply misspelling a module name. If that misspelling matches a known module, that gets fetched. AND RUN.
If the module used in error is malicious that's a really nasty failure mode. Even a module with a similar name and similar but not identical semantics could cause undesired (eg damaging, or just silently buggy) behaviour for the user.
Leaving aside the "use a likely misspelling" situation, the other situation is where a known module is withdrawn and a malicious person installs something evil under the previously trustworthy name.
These issues make me cautious about automatically importing anything that seems to be missing.
I'm more comfortable treating ImportErrors as stuff to inspect. Perhaps I misspelled something. Perhaps I've failed to install something important. Perhaps I'm using a feature I didn't really plan to install.
Cheers, Cameron Simpson email@example.com