On Fri, May 25, 2018 at 1:07 PM, Thomas Kluyver <tho...@kluyver.me.uk> wrote:
> On Fri, May 25, 2018, at 6:58 PM, Wes Turner wrote: > > ~/.local/bin is user-writeable. If ~/.local was on PATH or by default, it > could potentially preempt/modify the behavior of system libraries and > binaries; which is a security risk. > > > I've heard this argument before, and it doesn't stand up, because files > like .profile and .bashrc are user writable, and you can use those to add a > directory to PATH (among many other things). You may be able to come up > with some corner case where it's possible to modify ~/.local/bin but not > ~/.profile, but it's pretty clear that this is a post-hoc rationalisation, > not a real reason. > > I think there's a critical distinction to make here. If some tool modifies .profile or .bashrc, it's a big deal. You're playing with the user's experience in a major way. Because of that, tools (such as Anaconda's installer) generally make it an explicitly confirmed change. If .local is on PATH by default (especially up front), people may not understand the shadowing implications of installing some package with pip. One other point: users of Anaconda already have trouble with --user installs with pip. Users who run into trouble with their installation usually try to remove and reinstall Anaconda. Because .local is not managed by Anaconda, those users get very confused why the uninstall/reinstall doesn't fix their issue. Having out-of-sysroot locations for packages, such as /usr/local or .local definitely requires more from users. Is it worth it? Maybe. We should be mindful of ways that we can help users understand the locations that they may need to search/clean to resolve problems. Not everyone is advanced enough to look at sys.path or to do something like "troublesome_package.__file__" to figure out why things are misbehaving. > It's like that, I strongly suspect, just because that's how it's been > forever, and the people who are inconvenienced by it know how to work > around it. > > Thomas > > -- > Distutils-SIG mailing list > distutils-sig@python.org > https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ > Message archived at https://mail.python.org/mm3/ > archives/list/distutils-sig@python.org/message/ > YAIWB2P3UUBMYU2LJYU7A72P4RTDP64T/ > >
-- Distutils-SIG mailing list distutils-sig@python.org https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/Y5QZWCCBTGYKZZQHRWD6NVOP73LPRHIL/