[Python-modules-team] Bug#771794: pip silently removes/updates system provided python packages

Scott Kitterman debian at kitterman.com
Tue Dec 2 20:41:08 UTC 2014 

On Tuesday, December 02, 2014 12:37:40 PM Donald Stufft wrote:
> > On Dec 2, 2014, at 12:25 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> > wrote:> 
> > On 12/02/2014 11:51 AM, Donald Stufft wrote:
> >> I'd very much prefer it if you didn't do this. This *is* going to break
> >> things for people and it's going to cause a bunch of confusion.
> > 
> > It's not clear to me which side you're arguing for.  can you clarify
> > which action is going to break things for people and cause a bunch of
> > confusion?
> > 
> > If pip silently removes/updates system-provided python packages, that is
> > likely to break things and cause a bunch of confusion, no?
> > 
> > alternately, if pip verbosely refuses to run as uid 0, that's at least a
> > non-silent failure. (though it certainly will break things and frustrate
> > some people)
> > 
> > 	--dkg
> 
> I’m saying don’t make the change. There are major software systems that
> rely on the ability to install things as root using pip. Chef, puppet, etc.
> 
> It’s also going to cause a bunch of confusion because all of a sudden pip
> is going to have a vastly different behavior if it’s running on Debian vs
> if it’s running somewhere else. That’s going to blow back on us (the pip
> maintainers) as we get bug reports from people who assume we broke their
> use cases for pip.
> 
> We (pip maintainers) recognize this can cause issues and we’d like to
> arrive a solution that solves this issue without introducing major
> divergence between various platforms and with respect towards the use cases
> that need or require that ability. It’s somewhat of a thorny problems to do
> it correctly, we’re a fairly small team with limited time, and we have
> bigger issues of concern that have taken a front seat.

In the meantime, we have a release to get out the door, so wait for upstream 
to figure it out in TBD timeframe isn't a particularly palatable option.

As package maintainers, I think we have a limited set of options available:

1.  Do nothing for now.  Maybe upstream figures out something in time to get a 
fix in for Jessie.  Maybe the release team decides to ignore the bug for 
Jessie.  Maybe the release team removes pip for Jessie.

2.  Disable root/system use.

3.  Make install as --user default and require some suitable named option for 
root/system install.

4.  Install as root by default if permissions allow, but default to --user if 
not instead of just erroring out.

As upstream, do you have a preference if it's not #1?  Are there other options 
that would be better?

Scott K

More information about the Python-modules-team mailing list