[Python-modules-team] Bug#744145: Bug#744145: pip3 breaks after upgrading requests

Chris Kuehl ckuehl at ocf.berkeley.edu
Mon Jan 26 18:25:12 UTC 2015 

Hi Stefano,

On Mon, Jan 26, 2015 at 05:12:42AM +0200, Stefano Rivera wrote:
> I don't think I consider this bug to be RC. Debian packages have
> declared dependencies on other Debian packages. Replacing one with
> something newer from upstream, is quite likely to break things.

Thanks for responding. I do understand your reasoning behind not
considering the bug for jessie.

For the sake of documenting this bug better, I probably should have
explained my reasoning a bit clearer. I'm afraid that the impact of the
bug, particularly on upgrades, is likely to be pretty widespread:

* On wheezy, if someone installs requests to system site-packages, pip
  will work fine. After an upgrade to jessie, pip is broken and cannot
  be fixed without rm-ing the appropriate directory (pip uninstall won't
  work, either).

* As far as I'm aware, vendorizing (and on Debian, de-vendorizing) is
  new with the version of pip included with jessie, so the behavior that
  installing a different requests version (or some other devendorized
  library, such as colorama) can permanently break pip is new.

* The default option is to install system-wide (i.e. --user is not
  implicit for non root, #725848), and site-packages installs are still
  very common, especially when one desires to have a Python binary
  packaged on PyPI installed system-wide.

It's very easy for a user to back themselves into a corner, especially
given that once requests has been installed, there is no easy or
obvious way to fix pip.

I wonder whether such a change should at least be documented in the
release notes, even if we can't address it because of the freeze?

> "sudo pip" on a Debian box is dangerous, don't do that, and rather use
> virtualenvs, if you need to go off the beaten track.

I agree with this, but I'm afraid that it's still a very common
practice. It's not hard to find articles advising users to run `pip` as
root, and I suspect that such recommendations will be the first result
when an unsuspecting user searches pip errors on Google.

Thanks and happy Monday,
Chris

More information about the Python-modules-team mailing list