Date: Tue, 12 Jul 2022 17:00:49 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 265176] lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools Message-ID: <bug-265176-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265176 Bug ID: 265176 Summary: lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: python@FreeBSD.org Reporter: ngie@FreeBSD.org Assignee: python@FreeBSD.org Flags: maintainer-feedback?(python@FreeBSD.org) The python interpreter provides setuptools/pip along with the interpreter f= or bootstrapping the pip and setuptools packages: https://docs.python.org/3/library/ensurepip.html . Using ensurepip from python is wrought with headaches though; using it can break systems in the following scenarios: 1. lang/python310 distributes pip/setuptools version X, whereas devel/py-pip requires pip/setuptools version Y. If version X > version Y and `python3.10 ensurepip --upgrade` is run by root, ensurepip will upgrade the system pack= age versions of pip/setuptools, resulting in files being installed to the system site-packages which no longer match the devel/py-pip@py310 installed files. 2. The root user has a non-permissive umask (007). If `python3.10 -m ensure= pip --upgrade` is run as root, the packages installed will not be accessible to unprivileged users (depending on group ownership), rendering packages which rely on setuptools (and the libraries it provides) unusable to unprivileged users. ensurepip should be completely removed from lang/python3* and instead provi= ded as a separate standalone package, e.g., devel/py-ensurepip, OR (better yet) just removed from lang/python3*, requiring the end-user to rely on devel/py= -pip and devel/py-setuptools packages explicitly. The latter option is how other *nix distributions (CentOS Linux, Debian Linux) have dealt with this potent= ial pitfall. More discussion about this can be found in PEP-453: https://peps.python.org/pep-0453/ . --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265176-7788>