[Python-modules-team] Bug#771794: pip silently removes/updates system provided python packages

Donald Stufft donald at stufft.io
Wed Dec 3 00:28:20 UTC 2014 

> On Dec 2, 2014, at 6:32 PM, Scott Kitterman <debian at kitterman.com> wrote:
> 
> Assuming the maintainer doesn't decide to downgrade the bug (which I think is 
> unlikely and a number of people would object to, so I think we can ignore it 
> as a possibility), the decision to ignore the bug for Jessie belongs with the 
> release team.  If we choose not to fix it (and there's no Non-Maintainer 
> Upload), then they will decide to either remove the package or ignore the bug.
> 
> Since this particular issue is release critical, the December 5th deadline 
> isn't relevant to a targeted fix just for this issue.
> 
> Scott K


So the issue here is that pip is removing apt “owned” files implicitly during
an upgrade right? Looking at easy_install there’s no Serious bug there and the
primary difference between what will happen if you easy_install something and
pip install something is that pip might remove files from /usr/lib. In both
cases the items installed by both solutions will be in /usr/local/lib.

So what if Debian just patched python-pip so that it doesn’t remove the files
from /usr/lib (but it would remove files from /usr/local etc). This would have
the effect of pip not touching dpkg owned files which would bring it in line
with that easy_install does. /usr/local/lib takes precedence over /usr/lib so
it won’t break things for people actually trying to install things to /usr/local.

There *might* be some edge cases that occurs with having two versions of a package
on sys.path, but I can’t think of any offhand (and either way, those edge cases
already exist if someone does
``apt-get install python-requests && pip install —upgrade requests`` and then later
on Debian releases a new update to python-requests since those files that pip
removed will get reinstalled in that situation.

That should fix the immediate problem this bug addresses and then we can figure out
a longer term “real” fix in upstream pip that can go into Jessie+1.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-modules-team mailing list