Thanks, Cameron Simpson, for the feedback!

The security issue you mentioned is something really serious I didn't really think about. I usually do this a lot for my side projects and random stuff I automate. Hence suggested this.

Again, thanks for taking your time.

On Mon, Jul 8, 2019 at 1:14 PM Cameron Simpson <> wrote:
On 08Jul2019 11:40, Siddharth Prajosh <> wrote:
>Hey all, after this talk
>on how useful standard libraries are this has been in talks in multiple
>I just wanted to present my idea on the same.
>Why not keep the essentials (ensurepip) and strip off everything else. When
>someone imports a package like datetime, we can catch the error
>(ImportError) and install it.
>Or something similar.

Are you thinking this happens at runtime? And is your objective to ship
a much smaller Python standard library and load whatever is actually
required as discovered?

The usual difficulty is that there's no general way to fetch packages in
every environment. For the obvious case: the offline environment, with
no network access.
Another trickiness is that while we usually try to not conditionally
import stuff, sometimes that happens. Which means you might run your
programme and autoimport most things, but still miss something which
only gets imported in a special circumstance.

_However_, there's something to be said for the convenience.

Had you considered writing a module which plugs into the import
machinery to auto-pip-install on ImportError? Then you could test your

Finally, there's some security considerations.

A prize cause for an import error is simply misspelling a module name. 
If that misspelling matches a known module, that gets fetched. AND RUN.

If the module used in error is malicious that's a really nasty failure
mode. Even a module with a similar name and similar but not identical
semantics could cause undesired (eg damaging, or just silently buggy)
behaviour for the user.

There have been real world examples of malicious packages put into
package repositories. If I recall (and my memory is fuzzy here), quite a
few in the JavaScript world and I think there was a known one in the
PyPI repo.

Leaving aside the "use a likely misspelling" situation, the other
situation is where a known module is withdrawn and a malicious person
installs something evil under the previously trustworthy name.

These issues make me cautious about automatically importing anything
that seems to be missing.

I'm more comfortable treating ImportErrors as stuff to inspect. Perhaps
I misspelled something. Perhaps I've failed to install something
important. Perhaps I'm using a feature I didn't really plan to install.

Cameron Simpson <>