On 04/29/2014 05:12 AM, Steve Dower wrote:
This would be an incredibly painful change that would surprise and hurt a lot of people.
Hi, I think "incredibly painful" is overstating the case a bit. ;) We're talking about an installer default, a setting that would still be changeable as it always has, that by definition only will affect brand new installs.
Yes, it is possible for a non-admin user to install arbitrary packages into a place where an admin user may inadvertently run it, thereby providing escalation of privilege. On the other hand, that applies to a lot of development tools, especially since most users on Windows these days are actually limited administrators - ANYTHING they install could run when they elevate a certain process.
None of Microsoft's Dev tools install to C:\, rather to ProgramFiles. The fact that another security issue may exist is not a good justification for creating additional.
On the other hand, Python from python.org is a tool that should only be installed by those who are prepared to manage it. On Windows it is easy enough to have a second, secured copy for your admin scripts and an unsecured copy for non-admin tasks.
This sounds like the perspective of someone highly technical, forgetting that new users will be installing python as well and vastly outnumber us. "Normal people" need help to avoid security issues.
Microsoft's guidelines on where to install software are clear, and don't make exceptions that "tools" should be installed to the root of the drive to bypass file system permissions, for convenience.
I'm not sure what change you are proposing here... doesn't the installer already have an option to add to PATH? I'm sure I keep disabling it.
No, it does not. Unless it got slipped in when I wasn't looking. It should be an option though, I think everyone would agree.
"python.exe" on my PATH because I have 10+ versions installed at any one time. I
Remember, python-dev's are not the target users of this package, and are a rather minuscule fraction of the user base.
Python installation. At this point, 2.7.6->2.7.7 should be an incredibly safe upgrade, and there's no way to safely change the default installation location
This would continue to be the case, as the installer will recognize the previously installed Python 2.7 and use its setting. This should affect only *brand new installs.*
or the ACLs on the install directory.
No ACLs would be affected or changed or even thought about. Simply installing to the correct folder (on new installs) will accomplish the goal.
In short, this design of restricted permissions (read-only) for binaries and PATH conveniences goes back decades under Unix and other OS's. MS Windows has finally caught up in the security department in the last few releases. Please don't keep us back in the "bad old days" of DOS where everything was installed to the root folder.
-- -Mike _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
