So it seems the best thing would be to have a system-python executable which always runs in isolated mode?
In fact I could imagine that security-conscious distributions would only install system-python by default and relegate the ordinary python to some python-dev package. Stephan Op 5 jun. 2017 13:06 schreef "Nick Coghlan" <ncogh...@gmail.com>: > On 5 June 2017 at 19:49, Stephan Houben <stephan...@gmail.com> wrote: > > What about just adding the -I (isolated mode) flag to the #! line of > > installed scripts? > > Fedora & derivatives generally do do that, but as others noted, it can > sometimes cause issues with shebang line parsers. It's also easy to > lose the setting when a subprocess gets started based on > sys.executable. > > Wrapper scripts can be a little more robust (as long as they use -a to > get sys.executable set appropriately), but things still end up being > quite intricate and fiddly, and it's hard to prove you've plugged all > the gaps. > > Providing a separate binary with different defaults baked in at build > time doesn't magically fix everything (since you still need to change > shebang lines to refer to that binary), but it does make it much > easier to *stay* in system mode once you're there. > > Cheers, > Nick. > > -- > Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia >
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/