Date: Tue, 12 Jul 2022 17:00:49 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: maintainer-feedback requested: [Bug 265176] lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools Message-ID: <bug-265176-21822-pMbbxWoTe2@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-265176-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-265176-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-python (Nobody) <python@FreeBSD.org> for maintainer-feedback: Bug 265176: lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265176 --- Description --- The python interpreter provides setuptools/pip along with the interpreter f= or bootstrapping the pip and setuptools packages: https://docs.python.org/3/library/ensurepip.html . Using ensurepip from python is wrought with headaches though; using it can break systems in the following scenarios: 1. lang/python310 distributes pip/setuptools version X, whereas devel/py-pip requires pip/setuptools version Y. If version X > version Y and `python3.10 ensurepip --upgrade` is run by root, ensurepip will upgrade the system pack= age versions of pip/setuptools, resulting in files being installed to the system site-packages which no longer match the devel/py-pip@py310 installed files. 2. The root user has a non-permissive umask (007). If `python3.10 -m ensure= pip --upgrade` is run as root, the packages installed will not be accessible to unprivileged users (depending on group ownership), rendering packages which rely on setuptools (and the libraries it provides) unusable to unprivileged users. ensurepip should be completely removed from lang/python3* and instead provi= ded as a separate standalone package, e.g., devel/py-ensurepip, OR (better yet) just removed from lang/python3*, requiring the end-user to rely on devel/py= -pip and devel/py-setuptools packages explicitly. The latter option is how other *nix distributions (CentOS Linux, Debian Linux) have dealt with this potent= ial pitfall. More discussion about this can be found in PEP-453: https://peps.python.org/pep-0453/ .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265176-21822-pMbbxWoTe2>