[Distutils] Don't Use `sudo pip install´ (was Re: [final version?] PEP 513…)

Noah Kantrowitz noah at coderanger.net
Wed Feb 17 22:08:56 EST 2016 

> On Feb 17, 2016, at 5:58 AM, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> 
> 
>> On Feb 16, 2016, at 6:22 PM, Noah Kantrowitz <noah at coderanger.net> wrote:
>> 
>> I'm not concerned with if the module is importable specifically, but I am concerned with where the files will live overall. When building generic ops tooling, being unsurprising is almost always the right move and I would be surprised if supervisor installed to a custom virtualenv.
> 
> Would you not be surprised if installing supervisord upgraded e.g. `six´ or `setuptools´ and broke apport? or lsb_release? or dnf?  This type of version conflict is of course rare, but it is always possible, and every 'pip install' takes the system from a supported / supportable state to "???" depending on the dependencies of every other tool which may have been installed (and pip doesn't have a constraint solver for its dependencies, so you don't even know if the system gets formally broken by two explicitly conflicting requirements).
> 
>> It's a weird side effect of Python not having a great solution for "application packaging" I guess? We've got standards for web-ish applications, but not much for system services. I'm not saying I think creating an isolated "global-ish" environment would be worse, I'm saying nothing does that right now and I personally don't want to be the first because that bring a lot of pain with it :-)
> 
> What makes the web-ish stuff "standard" is just that a lot of people are doing it.  So a lot of people should start doing this, and then it will also be a standard :-).
> 
> I can tell you that on systems where I've done this sort of thing, it has surprised no-one that I'm aware of and I have not had any issues to speak of.  So I think you might be overestimating the risk.
> 
> In fairness though I've never written a clear explanation anywhere of why this is desirable; it strikes me as obvious but it is clearly not the present best-practice, which means somebody needs to do some thought-leadering.  So I owe you a blog post.

Saying it's a good idea and we should move towards it is fine and I agree, but that isn't grounds to remove the ability to do things the current way. So you can warn people off from global installs but until there is at least some community awareness of this other way to do things we can't remove support entirely. It's going to be a very slow deprecation process.

--Noah


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160217/ac220744/attachment.sig>

More information about the Distutils-SIG mailing list