On 2/24/2021 4:26 PM, Christian Heimes wrote:
I mean, this is _precisely_ what PEP 370 defines (including the "-s" option and PYTHONNOUSERSITE env variable to provide that one-way isolation). Is the problem that pip doesn't use it by default? Or that the distros went and made patches for the runtime rather than patching pip? (For Windows installs from the Store, where even admin rights can't do an all-users package install, I added a new config file location for pip to change this default, but a patch would also have worked.) Maybe we need an easier way to patch the location of user site packages? I also had to do this for the Store install on Windows, and it's a little bit of a hack... but maybe having an official recommendation would help encourage distributors to use the mechanism?On 24/02/2021 15.16, Random832 wrote:On Wed, Feb 24, 2021, at 06:27, Christian Heimes wrote:Separate directories don't prevent clashes and system breakage. But they provide an easy way to *recover* from a broken system.I think it could be turned into a way to prevent them by A) having site-packages always take precedence over dist-packages [i believe this is already the case] in normal usage and B) providing an option to the interpreter, used by system scripts, to exclude site-packages entirely from the path. Basically, site-packages would effectively be layered on top of "Lib + dist-packages" in a similar way to how a venv is layered on top of the main python installation - the inverse of the suggestion someone else in the thread made for the system python to be a venv. This wouldn't *exactly* be a venv because it wouldn't imply the other things that entering a venv does such as "python" [and script names such as pip] being an alias for the correct version of python, but it would provide the same kind of one-way isolation, whereby the "system environment" can influence the "normal environment" and not vice-versa, in the same way that packages installed in the main installation affect a venv [unless system-site-packages is disabled] but the venv obviously has no effect on the main installation.Yes, you are describing one major aspect of my idea for a system Python interpreter. I'm happy to read that other users are coming to similar conclusions. Instead of an option I'd create a new executable to lock down additional things (e.g. isolated mode, code verification hook). A separate executable would also allow distros to provide a stripped down interpreter that does not cause bad user experience.
Cheers, Steve _______________________________________________ Python-Dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/IHEECOXYDPJ6ZQJE2QTGPDOOCOP7J37A/ Code of Conduct: http://python.org/psf/codeofconduct/