[Catalog-sig] Use user-specific site-packages by default?

[Nick Coghlan]

On Tue, Feb 5, 2013 at 7:57 PM, Giovanni Bajo <rasky at develer.com> wrote:
> One meta-question:  does this mailing-list have any "authority" over pip? Are there any pip maintainers here? Because I see that pip development being done on different channels, so I was wondering what is the workflow to discuss such modifications.

It's a handy place to get feedback before I post a suggestion to the
pip issue tracker, plus catalog-sig has a nice audience of pip *users*
as well as developers.

As MAL rightly pointed out, the "(when running as anyone other than
root)" part of my suggestion is seriously flawed, and I wasn't clear
that I didn't want to alter pip's default behaviour when run inside a
virtualenv.

So, to clarify, the behaviour I would *like* to see pip exhibiting is
for the default install location to *change*, rather than trying to
install to the system packages directory and then implicitly falling
back to the user directory if that fails. Instead, installing to the
system site-packages would require an explicit "--system" flag.

Desired final behaviour:

Inside a virtual environment:
    pip install pkg: works as now
    pip uninstall pkg: works as now

Ordinary user (no write-access to system site packages):

    pip install pkg: installs to per-user site packages
    pip uninstall pkg: uninstalls from per-user site packages
    pip install --user pkg: installs to per-user site packages
    pip uninstall --user pkg: uninstalls from per-user site packages
    pip install --system pkg: fails (likely with a permissions error)
    pip uninstall --system pkg: fails, even if the package is present
(likely with a permissions error)

Administrator/root (write-access to system site packages):

    pip install pkg: asks for confirmation before installing to
per-user site packages
    pip uninstall pkg: asks for confirmation before uninstalling from
per-user site packages
    pip install --user pkg: installs to per-user site packages
    pip uninstall --user pkg: uninstalls from per-user site packages
    pip install --system pkg: install to system site packages
    pip uninstall --system pkg: uninstalls from site packages

    Confirmation message: "Warning: the current user has write access
to the system site-packages directory, but '--system' was not
specified. Proceed with installation to/uninstallation from the user
package directory at 'path/to/user/dir'? (y/n)"

Transition:

   For ordinary users, the transitional release would print out a
warning before proceeding with the installation to the per-user site
packages
   For admin users, the transitional release would print out a warning
to start passing "--system", as the behaviour of *not* passing that
flag is going to change in the next release

Consequences:

  - the harmful "Cannot write to <blah>" -> "Hit it with the sudo
hammer" behaviour is eliminated
  - user packages are hidden from scripts executed as root, even if
the execution of that script neglected the -SE flags
  - users may encounter the situation where a server process (e.g.
mod_wsgi in a local Apache instance) won't be able to see packages in
their user directory. This provides an opportunity to nudge them
towards virtualenv

I see this as very similar to the "install for everyone, or just for
me" model used by modern Windows installers, and the default should be
"just for me", with "install for everyone" needing to be explicitly
requested. It is by no means a comprehensive security solution, but
neither is it meant to be (that's what SELinux is for). It is merely
an early line of defence that aims to avoid getting users into the
habit of running pip with elevated privileges.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia