[Python-3000] [Python-Dev] Reminder: last alphas next Wednesday 07-May-2008

Nick Coghlan ncoghlan at gmail.com
Sun May 4 06:50:45 CEST 2008 

Fred Drake wrote:
> On May 3, 2008, at 7:51 AM, skip at pobox.com wrote:
>> Fred asked for a --prefix flag (which is what I was voting on).  I don't
>> really care what you do by default as long as you give me a way to do it
>> differently.
> 
> What's most interesting (to me) is that no one's commented on my note 
> that my preferred approach would be that there's no default at all; the 
> location would have to be specified explicitly.  Whether on the command 
> line or in the distutils configuration doesn't matter, but explicitness 
> should be required.

I thought Christian said something about that defeating one of the main 
points of the PEP - to allow per-user installation of modules to "just 
work" for non-administrators. (It may not have been Christian, and it 
may not have been directly in response to you, but I'm pretty sure I 
read it somewhere in this thread ;)

Anyway, a per-user site-packages directly only "just works" if the 
standard behaviour of a Python installation is to provide access to the 
per-user packages without requiring any additional action on the part of 
the user.

A couple of paragraphs in the PEP may also be of interest to you:

"""For security reasons the user site directory is not added to sys.path 
when the effective user id or group id is not equal to the process uid / 
gid [9]. It's an additional barrier against code injection into suid 
apps. However Python suid scripts must always use the -E and -s option 
or users can sneak in their own code.

The user site directory can be suppressed with a new option -s or the 
environment variable PYTHONNOUSERSITE. The feature can be disabled 
globally by setting site.ENABLE_USER_SITE to the value False. It must be 
set by editing site.py. It can't be altered in sitecustomize.py or later."""

So Python itself turns the feature off automatically for invocation via 
sudo and the like, and the sysadmin can disable the feature completely 
through site.py.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
---------------------------------------------------------------
             http://www.boredomandlaziness.org

More information about the Python-3000 mailing list