bug#64573: closed ([PATCH 0/3] guix: build: python-build-system: Have ap

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#64573: closed ([PATCH 0/3] guix: build: python-build-system: Have ap

From:	GNU bug Tracking System
Subject:	bug#64573: closed ([PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir)
Date:	Wed, 26 Jul 2023 09:15:01 +0000

Your message dated Wed, 26 Jul 2023 11:14:51 +0200
with message-id <20230726111451.4700f17f.koszko@koszko.org>
and subject line Re: bug#64573: [PATCH 0/3] guix: build: python-build-system: 
Have applications by default ignore non-Guix libraries in user site dir
has caused the debbugs.gnu.org bug report #64573,
regarding [PATCH 0/3] guix: build: python-build-system: Have applications by 
default ignore non-Guix libraries in user site dir
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
64573: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=64573
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Date: Tue, 11 Jul 2023 20:12:12 +0200

Python applications used to prioritize loading their libraries from so-called
"user site dir" (usually in ~/.local/lib/python<VERSION>/site-packages). The
libraries would only be loaded from /gnu/store when not found in the user site
dir. This used to cause hard-to-diagnose bugs like [1] when a user happened to
have a similar but incompatible version of a library installed via pip.

These patches modify the python-build-system's procedure responsible for
wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable
which makes Python applications disregard the user site dir when loading
libraries.

While this solution does harden most Python applications, it can also break a
few ones like pip that operate on the user site dir itself. To work around
that, the second patch introduces a change to pip to allow installing to the
user site directory even when PYTHONNOUSERSITE is set by the Guix-created
wrapper script.

The third patch adds a boolean argument called disable-user-site? to
python-build-system. Packagers can set this argument to #f on per-package
basis to disable the hardening behavior in case it breaks some
application. Note that in the long run, it might be beneficial (although more
time-consuming) to leave disable-user-site? as #t everywhere and instead
modify the problematic applications — as done here with python-pip. It might
even be practical to only merge the first 2 patches from this series.

Please note that virtualenvs and packages that operate on them are likely
unaffected by this change. The initial bug doesn't even occur with
virtualenvs.


I tested the changes with

    ./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutils 
python-pip
    pip install xmldiff==2.4
    echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py
    xmldiff --help

Without any patches, the 4th line fails. With the patches applied, the 4th
line succeeds and prints xmldiff's usage info


[1] https://issues.guix.gnu.org/63912


Wojtek Kosior (3):
  guix: build: python-build-system: Don't process user site dir
  gnu: python-pip: Enable user site even with PYTHONNOUSERSITE
  guix: build: python-build-system: Honor disable-user-site? argument

 gnu/packages/python-build.scm      | 10 +++++++++-
 guix/build-system/python.scm       |  2 ++
 guix/build/python-build-system.scm | 27 ++++++++++++++++++---------
 3 files changed, 29 insertions(+), 10 deletions(-)


base-commit: 67e22584faaa558c2a5834a5013d77660ec45e85
-- 
2.40.1

--- End Message ---

--- Begin Message --- Subject: Re: bug#64573: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Date: Wed, 26 Jul 2023 11:14:51 +0200

> Hello, I think we can let pip just break as other distros (eg: ArchLinux
> and Debian) with PEP-668.
> 
> https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/main/EXTERNALLY-MANAGED
> https://pythonspeed.com/articles/externally-managed-environment-pep-668/
> https://peps.python.org/pep-0668/#recommendations-for-distros
> 
> With usage guide towards virtual environments, guix shell, or pipx
> (not packaged yet).
> 
> Consider other distros does the same thing, this should be safer.
> 
> What do you think?  🤔

You're right, making pip break and recommend pipx seems like the right
thing to do.

I opened a new issue with patches that add python-pipx (haven't done
anything related to the 'EXTERNALLY-MANAGED' file yet, tho).

Thanks,
Wojtek

-- (sig_start)
website: https://koszko.org/koszko.html
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A
follow me on Fediverse: https://friendica.me/profile/koszko/profile

♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)


On Sat, 22 Jul 2023 08:30:04 +0800 宋文武 <iyzsong@envs.net> wrote:

> Wojtek Kosior <koszko@koszko.org> writes:
> 
> > Python applications used to prioritize loading their libraries from 
> > so-called
> > "user site dir" (usually in ~/.local/lib/python<VERSION>/site-packages). The
> > libraries would only be loaded from /gnu/store when not found in the user 
> > site
> > dir. This used to cause hard-to-diagnose bugs like [1] when a user happened 
> > to
> > have a similar but incompatible version of a library installed via pip.
> >
> > These patches modify the python-build-system's procedure responsible for
> > wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable
> > which makes Python applications disregard the user site dir when loading
> > libraries.
> >
> > While this solution does harden most Python applications, it can also break 
> > a
> > few ones like pip that operate on the user site dir itself. To work around
> > that, the second patch introduces a change to pip to allow installing to the
> > user site directory even when PYTHONNOUSERSITE is set by the Guix-created
> > wrapper script.  
> 
> Hello, I think we can let pip just break as other distros (eg: ArchLinux
> and Debian) with PEP-668.
> 
> https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/main/EXTERNALLY-MANAGED
> https://pythonspeed.com/articles/externally-managed-environment-pep-668/
> https://peps.python.org/pep-0668/#recommendations-for-distros
> 
> With usage guide towards virtual environments, guix shell, or pipx
> (not packaged yet).
> 
> Consider other distros does the same thing, this should be safer.
> 
> What do you think?  🤔

pgpXqc2oG_MLw.pgp
Description: OpenPGP digital signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#64573: closed ([PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir), GNU bug Tracking System <=

Prev by Date: bug#64820: closed ([PATCH] gnu: rvvm: Add rvvm.)
Next by Date: bug#64847: closed (Emacs 29 RC1 takes around 25ms longer to start without config and about 25ms with config)
Previous by thread: bug#64820: closed ([PATCH] gnu: rvvm: Add rvvm.)
Next by thread: bug#64847: closed (Emacs 29 RC1 takes around 25ms longer to start without config and about 25ms with config)
Index(es):
- Date
- Thread