[issue42252] Embeddable Python indicates that it uses PYTHONPATH

Steve Dower report at bugs.python.org
Tue Nov 3 20:09:24 EST 2020 

Steve Dower <steve.dower at python.org> added the comment:

Updating the documentation link on the download page is being discussed as we speak.

> One possible use-case is to package it along with another program to use the interpreter.

This is the primary use case. If you're doing something else with it, you're probably misusing it :)

> In this case, the user may assume that adding something to the `PYTHONPATH` env variable, as most of the launching methods allow, would take hold.

Agreed. The documentation explains this, though likely doesn't make clear enough that it's the presence of the ._pth file that triggers the behaviour.

> ... then promptly look at python --help when that fails. 

I'm pretty sure the help text is generated before we've tried to detect any local configuration, so it's far from trivial to make it dynamic based on context. 

> Maybe a better question is why should the embeddable distribution's python.exe ignore env variables? Wouldn't it make more sense to depend on the user to add a `-E` if that is what they desire?

It's to make it non-exploitable by default. The theory being that it will likely be installed into Program Files by an admin, which means file-based configuration is locked down from regular users and an attacker can't rely on a fully functioning Python runtime being present. 
 Most people wildly underestimate how exploitable CPython is via environment variables.

In an embedded scenario, you also have other ways to update paths, either statically (in the ._pth file) or in Python code (via sys.path modification). And you can of course delete the ._pth file if you don't feel you need the isolation, but there are legitimate reasons we don't recommend that one.

Not enough of this is documented that well, unfortunately. It sounds like we should:
* add a note to the environment variables section of --help that some other options may disable these
* add a link to https://docs.python.org/3/using/windows.html#windows-embeddable back to the download page (it was removed in the 3.9 releases for some reason)
* expand that doc section to link forward to https://docs.python.org/3/using/windows.html#finding-modules and maybe rearrange for making it more obvious how to use this package

----------
versions: +Python 3.10 -Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42252>
_______________________________________

More information about the Python-bugs-list mailing list