[Python-Dev] Python 2.7.7. on Windows

Mon Apr 28 22:38:36 CEST 2014

On Mon, Apr 28, 2014 at 3:07 PM, Mike Miller <python-dev at mgmiller.net> wrote:
>
> On 04/29/2014 05:12 AM, Steve Dower wrote:
>>
>> This would be an incredibly painful change that would surprise and hurt a
>> lot of
>> people.
>
>
> Hi, I think "incredibly painful" is overstating the case a bit. ;)  We're
> talking about an installer default, a setting that would still be changeable
> as it always has, that by definition only will affect brand new installs.
>
>
>> Yes, it is possible for a non-admin user to install arbitrary packages
>> into a
>> place where an admin user may inadvertently run it, thereby providing
>> escalation
>> of privilege. On the other hand, that applies to a lot of development
>> tools,
>> especially since most users on Windows these days are actually limited
>> administrators - ANYTHING they install could run when they elevate a
>> certain
>> process.
>
>
> None of Microsoft's Dev tools install to C:\, rather to ProgramFiles.  The
> fact that another security issue may exist is not a good justification for
> creating additional.
>
>
>> On the other hand, Python from python.org is a tool that should only be
>> installed by those who are prepared to manage it. On Windows it is easy
>> enough
>> to have a second, secured copy for your admin scripts and an unsecured
>> copy for
>> non-admin tasks.
>
>
> This sounds like the perspective of someone highly technical, forgetting
> that new users will be installing python as well and vastly outnumber us.
> "Normal people" need help to avoid security issues.
>
> Microsoft's guidelines on where to install software are clear, and don't
> make exceptions that "tools" should be installed to the root of the drive to
> bypass file system permissions, for convenience.
>
>
>> I'm not sure what change you are proposing here... doesn't the installer
>> already
>> have an option to add to PATH? I'm sure I keep disabling it.
>
>
> No, it does not.  Unless it got slipped in when I wasn't looking.
>
> It should be an option though, I think everyone would agree.

The option to add the current install to your path was added 3.3.

>> "python.exe" on my PATH because I have 10+ versions installed at any one
>> time. I
>
>
> Remember, python-dev's are not the target users of this package, and are a
> rather minuscule fraction of the user base.

Knowing which Python you want on your path and that you want it on
your path at all is somewhat of an advanced usage. While beginners do
want to just open up cmd and type "python" and have it work, there are
better ways to accomplish that which don't involve system-wide path
manipulation or installation changes.

Several PC manufacturers have been known to use Python for various
system utilities, which is how Python sometimes ends up in the path on
your grandma's Dell*. Even for a beginner who just wants "python" to
work, we need to be careful to not wreck their entire system by
helping them get our fresh Python install to show up.

A more reasonable way to help beginners would be to create a shortcut
somewhere that starts up cmd with a modified path. They can do
whatever they want to do within that context without modifying their
entire system. If they learn that they later want their system-wide
path manipulated, they can do that within the installer or will known
how to do that themselves.

* watch Dave Beazley's PyCon 2014 talk for a good story involving one
of those manufacturer installed Pythons:
https://www.youtube.com/watch?v=RZ4Sn-Y7AP8