--- Begin Message ---
Subject: |
[PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir |
Date: |
Tue, 11 Jul 2023 20:12:12 +0200 |
Python applications used to prioritize loading their libraries from so-called
"user site dir" (usually in ~/.local/lib/python<VERSION>/site-packages). The
libraries would only be loaded from /gnu/store when not found in the user site
dir. This used to cause hard-to-diagnose bugs like [1] when a user happened to
have a similar but incompatible version of a library installed via pip.
These patches modify the python-build-system's procedure responsible for
wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable
which makes Python applications disregard the user site dir when loading
libraries.
While this solution does harden most Python applications, it can also break a
few ones like pip that operate on the user site dir itself. To work around
that, the second patch introduces a change to pip to allow installing to the
user site directory even when PYTHONNOUSERSITE is set by the Guix-created
wrapper script.
The third patch adds a boolean argument called disable-user-site? to
python-build-system. Packagers can set this argument to #f on per-package
basis to disable the hardening behavior in case it breaks some
application. Note that in the long run, it might be beneficial (although more
time-consuming) to leave disable-user-site? as #t everywhere and instead
modify the problematic applications — as done here with python-pip. It might
even be practical to only merge the first 2 patches from this series.
Please note that virtualenvs and packages that operate on them are likely
unaffected by this change. The initial bug doesn't even occur with
virtualenvs.
I tested the changes with
./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutils
python-pip
pip install xmldiff==2.4
echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py
xmldiff --help
Without any patches, the 4th line fails. With the patches applied, the 4th
line succeeds and prints xmldiff's usage info
[1] https://issues.guix.gnu.org/63912
Wojtek Kosior (3):
guix: build: python-build-system: Don't process user site dir
gnu: python-pip: Enable user site even with PYTHONNOUSERSITE
guix: build: python-build-system: Honor disable-user-site? argument
gnu/packages/python-build.scm | 10 +++++++++-
guix/build-system/python.scm | 2 ++
guix/build/python-build-system.scm | 27 ++++++++++++++++++---------
3 files changed, 29 insertions(+), 10 deletions(-)
base-commit: 67e22584faaa558c2a5834a5013d77660ec45e85
--
2.40.1
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#64573: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir |
Date: |
Wed, 26 Jul 2023 11:14:51 +0200 |
> Hello, I think we can let pip just break as other distros (eg: ArchLinux
> and Debian) with PEP-668.
>
> https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/main/EXTERNALLY-MANAGED
> https://pythonspeed.com/articles/externally-managed-environment-pep-668/
> https://peps.python.org/pep-0668/#recommendations-for-distros
>
> With usage guide towards virtual environments, guix shell, or pipx
> (not packaged yet).
>
> Consider other distros does the same thing, this should be safer.
>
> What do you think? 🤔
You're right, making pip break and recommend pipx seems like the right
thing to do.
I opened a new issue with patches that add python-pipx (haven't done
anything related to the 'EXTERNALLY-MANAGED' file yet, tho).
Thanks,
Wojtek
-- (sig_start)
website: https://koszko.org/koszko.html
fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A
follow me on Fediverse: https://friendica.me/profile/koszko/profile
♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)
On Sat, 22 Jul 2023 08:30:04 +0800 宋文武 <iyzsong@envs.net> wrote:
> Wojtek Kosior <koszko@koszko.org> writes:
>
> > Python applications used to prioritize loading their libraries from
> > so-called
> > "user site dir" (usually in ~/.local/lib/python<VERSION>/site-packages). The
> > libraries would only be loaded from /gnu/store when not found in the user
> > site
> > dir. This used to cause hard-to-diagnose bugs like [1] when a user happened
> > to
> > have a similar but incompatible version of a library installed via pip.
> >
> > These patches modify the python-build-system's procedure responsible for
> > wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable
> > which makes Python applications disregard the user site dir when loading
> > libraries.
> >
> > While this solution does harden most Python applications, it can also break
> > a
> > few ones like pip that operate on the user site dir itself. To work around
> > that, the second patch introduces a change to pip to allow installing to the
> > user site directory even when PYTHONNOUSERSITE is set by the Guix-created
> > wrapper script.
>
> Hello, I think we can let pip just break as other distros (eg: ArchLinux
> and Debian) with PEP-668.
>
> https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/main/EXTERNALLY-MANAGED
> https://pythonspeed.com/articles/externally-managed-environment-pep-668/
> https://peps.python.org/pep-0668/#recommendations-for-distros
>
> With usage guide towards virtual environments, guix shell, or pipx
> (not packaged yet).
>
> Consider other distros does the same thing, this should be safer.
>
> What do you think? 🤔
pgpXqc2oG_MLw.pgp
Description: OpenPGP digital signature
--- End Message ---