[Python-Dev] Compile-time resolution of packages [Was: Another update for PEP 394...]

Gregory P. Smith greg at krypto.org
Thu Feb 28 12:56:55 EST 2019

On Wed, Feb 27, 2019 at 5:12 PM Toshio Kuratomi <a.badger at gmail.com> wrote:

> On Tue, Feb 26, 2019 at 2:07 PM Neil Schemenauer <nas-python at arctrix.com>
> wrote:
>> On 2019-02-26, Gregory P. Smith wrote:
>> > On Tue, Feb 26, 2019 at 9:55 AM Barry Warsaw <barry at python.org> wrote:
>> > For an OS distro provided interpreter, being able to restrict its use to
>> > only OS distro provided software would be ideal (so ideal that people
>> who
>> > haven't learned the hard distro maintenance lessons may hate me for it).
>> This idea has some definite problems.  I think enforcing it via
> convention is about as much as would be good to do.  Anything more and you
> make it hard for people who really need to use the vendor provided
> interpreter from being able to do so.
> Why might someone need to use the distro provided interpreter?
> * Vendor provides some python modules in their system packages which are
> not installable from pip (possibly even a proprietary extension module, so
> not even buildable from source or copyable from the system location) which
> the end user needs to use to do something to their system.
> * End user writes a python module which is a plugin to a system tool which
> has to be installed into the system python to from which that system tool
> runs.  The user then wants to write a script which uses the system tool
> with the plugin in order to do something to their system outside of the
> system tool (perhaps the system tool is GUI-driven and the user wants to
> automate a part of it via the python module).  They need their script to
> use the system python so that they are using the same code as the system
> tool itself would use.
> There's probably other scenarios where the benefits of locking the user
> out of the system python outweigh the benefits but these are the ones that
> I've run across lately.
Agreed.  The convention approach as someone said RHEL 8 has apparently done
with an os distro reserved interpreter (yay) is likely good enough for most

I'd go a *little* further than that and suggest such an os distro reserved
interpreter attempt to prevent installation of packages (ie: remove
pip/ensurepip/distutils) via any other means than the OS package manager
(rpms, debs).  Obviously that can't actually prevent someone from figuring
out how to run getpip or manually installing trees of packages within its
sys.path, but it acts as a deterrent suggesting that this interpreter is
not intended for arbitrary software installation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190228/1aa7fb8d/attachment.html>

More information about the Python-Dev mailing list