[Catalog-sig] Use user-specific site-packages by default?

Nick Coghlan ncoghlan at gmail.com
Sun Feb 10 11:09:55 CET 2013 

On Sun, Feb 10, 2013 at 6:56 PM, Marcus Smith <qwcode at gmail.com> wrote:
> For many users,  virtualenvs are their "user install", and "sudo" global
> installs are pretty rare. So, putting in a lot of work to fix what to many
> seems like a rare behavior makes me a little hesitant. But "many users"
> isn't all I guess, and maybe I'm off on the "many" part, not sure.  I guess
> it's still worthwhile to prevent *any* unnecessary root installs.
>
> Maybe user education is enough?  I was going to add a section to pip's new
> cookbook on --user installs, and with all the focus on security now, it
> could be emphasized really strongly and explained why it's a good thing.
> This, along with adding informative messages when users fail writing to the
> global site might go a long way.
>
> Btw,  the user site is visible in virtualenvs that have global access (and
> is lower in precedence than the virtualenv site-packages), so I'm pretty
> sure it can serve as a place for common packages, that the global site is
> often used for.

The main use cases I've found for user site packages are "I am not
working on anything in particular, I am just using the Python
interactive shell on my computer" and "I am using Python to script
things on my computer" (see dotfiles and checkoutmanager in
http://blog.aclark.net//2013/02/08/i-love-checkoutmanager-and-dotfiles/
for good examples of the latter). If you're not in the habit of
working on multiple projects, or those projects are low level ones
with few or no dependencies (i.e. not web applications), then per-user
installations are also a lot easier to manage than a special "default"
virtualenv. As you note, such installations also have the benefit of
showing up in all your virtualenvs that are set to allow the use of
system packages. While virtualenv isolation is wonderful when you're
working on cross-platform web applications, it's not an available
option if you want access to packages that are distro specific and
unavailable on PyPI (such as some of the infrastructure on Fedora/RHEL
systems, including mockbuild, yum, etc).

The main problem I see at the moment is the similarity in workflow between:

  $ yum install pkg  # Error due to insufficient privileges
  $ sudo yum install pkg # The right way to run yum

and:

  $ pip install pkg  # Error due to insufficient privileges
  $ sudo pip install pkg # The wrong way to run pip

'pip install --user pkg' or virtualenv are much better alternatives
than sudo in the latter case, but the muscle memory induced by working
with the system package manager means I still reach for sudo when I
shouldn't.

Having pip print out a "Consider using virtualenv or the --user
option" *could* work (it would probably be enough of a prompt to
disrupt my own distro package manager conditioned reflexes, for
example), but it seems more sensible and user friendly to just start
down the path of making --user the default, and requiring an explicit
--system flag to install globally.

Cheers,
Nick.

> Marcus
>
>
>> Inside a virtual environment:
>>     pip install pkg: works as now
>>     pip uninstall pkg: works as now
>>
>> Ordinary user (no write-access to system site packages):
>>
>>     pip install pkg: installs to per-user site packages
>>     pip uninstall pkg: uninstalls from per-user site packages
>>     pip install --user pkg: installs to per-user site packages
>>     pip uninstall --user pkg: uninstalls from per-user site packages
>>     pip install --system pkg: fails (likely with a permissions error)
>>     pip uninstall --system pkg: fails, even if the package is present
>> (likely with a permissions error)
>>
>> Administrator/root (write-access to system site packages):
>>
>>     pip install pkg: asks for confirmation before installing to
>> per-user site packages
>>     pip uninstall pkg: asks for confirmation before uninstalling from
>> per-user site packages
>>     pip install --user pkg: installs to per-user site packages
>>     pip uninstall --user pkg: uninstalls from per-user site packages
>>     pip install --system pkg: install to system site packages
>>     pip uninstall --system pkg: uninstalls from site packages
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>



-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Catalog-SIG mailing list