[Python-Dev] If you shadow a module in the standard library that IDLE depends on, bad things happen

[Steven D'Aprano]

CC'ing Python-Ideas. Follow-ups to Python-Ideas please.

On Thu, Oct 29, 2015 at 09:22:15PM -0400, Terry Reedy wrote:

> Leaving IDLE aside, the reason '' is added to sys.path is so that people 
> can import their own modules.  This is very useful.  Shadowing is the 
> result of putting it at the front.  I have long thought this a dubious 
> choice.  If '' were instead appended, people could still import modules 
> that did not duplicate stdlib names.  Anyone who wanted shadowing could 
> move '' to the front.  But then shadowing would be intentional, not an 
> accident.

Terry is right. Shadowing should be possible, and it should require a 
deliberate decision on the part of the programmer.

Consider the shell, say, bash or similar. My understanding is that the 
shell PATH deliberately excludes the current directory because of the 
possibility of malicious software shadowing usual commands in /bin etc. 
If you want to run an executable in the current directory, you have to 
explicitly provide the path to it: ./myscript rather than just myscript.

Now Python isn't exactly the shell, and so I'm not proposing that Python 
does the same thing. But surely we can agree on the following?

- Shadowing explicitly installed packages, including the stdlib, is 
  *occasionally* useful.

- But when shadowing occurs, it is *nearly always* accidental.

- Such accidental shadowing often causes problems.

- And further more, debugging shadowing problems is sometimes tricky 
  even for experienced coders, and almost impossible for beginners.

  (It's not until you've been burned once or thrice by shadowing that 
  you recognise the symptoms, at which point it is then usually easy to 
  debug.)

- Hence, we should put the onus on those who want to shadow installed 
  packages) to do so *explicitly*, or at least make it easier to avoid 
  accidental shadowing.


I propose the following two changes:


(1) Beginning with Python 3.6, the default is that the current directory 
is put at the end of sys.path rather than the beginning. Instead of:

    >>> print(sys.path)
    ['', '/this', '/that', '/another']

we will have this instead:

    >>> print(sys.path)
    ['/this', '/that', '/another', '']

Those who don't shadow installed packages won't notice any 
difference.

Scripts which deliberately or unintentionally shadow installed packages 
will break from this change. I don't have a problem with this. You can't 
fix harmful behaviour without breaking code that depends on that harmful 
behaviour. Additionally, I expect that those who rely on the current 
behaviour will be in a small minority, much fewer than those who will be 
bitten by accidental shadowing into the indefinite future. And if you 
want the old behaviour back, it is easy to do so, by changing the path 
before doing your imports:

    import sys
    if sys.path[-1] == "":  sys.path = [""] + sys.path[:-1]

or equivalent.

I do not belive that it is onerous for those who want shadowing to have 
to take steps to do so explicitly. That can be added to your scripts on 
a case-by-case basis, or your PYTHONSTARTUP file, by modifying your 
site.py, or (I think) by putting the code into the sitecustomize or 
usercustomize modules.

(2) IDLE doesn't need to wait for Python 3.6 to make this change. I 
believe that IDLE is permitted to make backwards incompatible changes in 
minor releases, so there is no reason why it can't change the path 
effective immediately.

That's a simpler fix than scanning the entire path, raising warnings 
(which beginners won't understand and will either ignore or panic over) 
or other complex solutions. It may not prevent *every* shadowing 
incident, but it will improve the situation immeasurably.


Thoughts?



-- 
Steve