[Python-modules-team] Bug#771794: pip silently removes/updates system provided python packages

Scott Kitterman debian at kitterman.com
Wed Dec 3 03:38:16 UTC 2014


On Tuesday, December 02, 2014 19:28:20 Donald Stufft wrote:
> > On Dec 2, 2014, at 6:32 PM, Scott Kitterman <debian at kitterman.com> wrote:
> > 
> > Assuming the maintainer doesn't decide to downgrade the bug (which I think
> > is unlikely and a number of people would object to, so I think we can
> > ignore it as a possibility), the decision to ignore the bug for Jessie
> > belongs with the release team.  If we choose not to fix it (and there's
> > no Non-Maintainer Upload), then they will decide to either remove the
> > package or ignore the bug.
> > 
> > Since this particular issue is release critical, the December 5th deadline
> > isn't relevant to a targeted fix just for this issue.
> > 
> > Scott K
> 
> So the issue here is that pip is removing apt “owned” files implicitly
> during an upgrade right? Looking at easy_install there’s no Serious bug
> there and the primary difference between what will happen if you
> easy_install something and pip install something is that pip might remove
> files from /usr/lib. In both cases the items installed by both solutions
> will be in /usr/local/lib.
> 
> So what if Debian just patched python-pip so that it doesn’t remove the
> files from /usr/lib (but it would remove files from /usr/local etc). This
> would have the effect of pip not touching dpkg owned files which would
> bring it in line with that easy_install does. /usr/local/lib takes
> precedence over /usr/lib so it won’t break things for people actually
> trying to install things to /usr/local.
> 
> There *might* be some edge cases that occurs with having two versions of a
> package on sys.path, but I can’t think of any offhand (and either way,
> those edge cases already exist if someone does
> ``apt-get install python-requests && pip install —upgrade requests`` and
> then later on Debian releases a new update to python-requests since those
> files that pip removed will get reinstalled in that situation.
> 
> That should fix the immediate problem this bug addresses and then we can
> figure out a longer term “real” fix in upstream pip that can go into
> Jessie+1.

Speaking only for myself, I think that sounds reasonable.

It's well established I believe in Debian Python usage that if a user installs 
packages in /usr/local and break their system, they are on their own, so I'm 
not particularly worried about the edge cases for having the same python 
package installed in /usr/lib and /usr/local, it's on whoever installed stuff 
in /usr/local.

Being no more broken than easy_install seems like a reasonable compromise to 
me.

Scott K



More information about the Python-modules-team mailing list