From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: lars@6xq.net, jgart@dismail.de, guix-patches@gnu.org Resent-Date: Tue, 11 Jul 2023 18:13:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64573@debbugs.gnu.org Cc: Wojtek Kosior , Lars-Dominik Braun , jgart X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Lars-Dominik Braun , jgart Received: via spool by submit@debbugs.gnu.org id=B.168909916026631 (code B ref -1); Tue, 11 Jul 2023 18:13:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Jul 2023 18:12:40 +0000 Received: from localhost ([127.0.0.1]:50992 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHqq-0006vT-8q for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:12:40 -0400 Received: from lists.gnu.org ([209.51.188.17]:59356) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHqk-0006vF-R4 for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:12:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qJHqk-0005Rz-ES for guix-patches@gnu.org; Tue, 11 Jul 2023 14:12:34 -0400 Received: from koszko.org ([93.95.227.159]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qJHqi-0007yv-6r for guix-patches@gnu.org; Tue, 11 Jul 2023 14:12:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UZLmtaXhzxOKFnOpqUhuOOFvKTulsIoHSFjBybZnhAw=; b=dpMrDV/PQ94mKQuJGR1MGz3dnO LgxHgzNO4l8gqkSvFzT03y28iKhBM0SN6umSZH/YLRLWmEZa9Kftmznlwxl3y2Gezx6hP76QdjqeC 2rcDchb9wf7y/oU5uSxHvH2fggpjO8RLL7vt7OjqHieGZUiO0WPIDfKXfqu0xKCrnW5j1LixTlb0n RZJRwLmWVHiKzhnQk6G85OS2Pw0kzn9X3erLZx70S1QJII3+uVFq2Ng8beMXREH80Hd6cejABHkkW i2Jlf9nPs7aJrsYmDzzjAsa1GO2aTOvfdmKxEzMxGpkxVE1aQmAxHIt95MoMY9YX1tK0w553miEIY hrqRibEHiNu9B/PyP5IWiC5qrXDYkhNjHzmdmKFIb8Zm3U2TZ/3+Ruct+mf90OJfIHSerQwdmqvi0 TH5U5z2ebJJzzPCxWB2/ZWmy+x+lGIqFxg4p7z13j0ERs3NOb07O8cqS+RsPBpTvE+etLTeF9ZMuv IAS3qk5l2BCfeNjRXAPJkUz+SnjDODwd/n2PoQ3trnafj4zcXIfayGET0oIfLYK69PkApnWvmDJgB hQK+qTTr1C+hQEspuglIU2t65D3iiWKOfJj9kEURnHaKdWpEo0W/rlJXa+u7ATmrBMCSOrPM7Xwgq QFu0HqHV0TbA7/ica4j7MQzjCm5VF2DfGplzwncwY=; Received: from [77.252.47.107] (helo=localhost.localdomain) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qJHqX-0007gL-Qg; Tue, 11 Jul 2023 20:12:21 +0200 From: Wojtek Kosior Date: Tue, 11 Jul 2023 20:12:12 +0200 Message-Id: X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=93.95.227.159; envelope-from=koszko@koszko.org; helo=koszko.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Python applications used to prioritize loading their libraries from so-called "user site dir" (usually in ~/.local/lib/python/site-packages). The libraries would only be loaded from /gnu/store when not found in the user site dir. This used to cause hard-to-diagnose bugs like [1] when a user happened to have a similar but incompatible version of a library installed via pip. These patches modify the python-build-system's procedure responsible for wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable which makes Python applications disregard the user site dir when loading libraries. While this solution does harden most Python applications, it can also break a few ones like pip that operate on the user site dir itself. To work around that, the second patch introduces a change to pip to allow installing to the user site directory even when PYTHONNOUSERSITE is set by the Guix-created wrapper script. The third patch adds a boolean argument called disable-user-site? to python-build-system. Packagers can set this argument to #f on per-package basis to disable the hardening behavior in case it breaks some application. Note that in the long run, it might be beneficial (although more time-consuming) to leave disable-user-site? as #t everywhere and instead modify the problematic applications — as done here with python-pip. It might even be practical to only merge the first 2 patches from this series. Please note that virtualenvs and packages that operate on them are likely unaffected by this change. The initial bug doesn't even occur with virtualenvs. I tested the changes with ./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutils python-pip pip install xmldiff==2.4 echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py xmldiff --help Without any patches, the 4th line fails. With the patches applied, the 4th line succeeds and prints xmldiff's usage info [1] https://issues.guix.gnu.org/63912 Wojtek Kosior (3): guix: build: python-build-system: Don't process user site dir gnu: python-pip: Enable user site even with PYTHONNOUSERSITE guix: build: python-build-system: Honor disable-user-site? argument gnu/packages/python-build.scm | 10 +++++++++- guix/build-system/python.scm | 2 ++ guix/build/python-build-system.scm | 27 ++++++++++++++++++--------- 3 files changed, 29 insertions(+), 10 deletions(-) base-commit: 67e22584faaa558c2a5834a5013d77660ec45e85 -- 2.40.1 From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 1/3] guix: build: python-build-system: Don't process user site dir Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: lars@6xq.net, jgart@dismail.de, guix-patches@gnu.org Resent-Date: Tue, 11 Jul 2023 18:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64573@debbugs.gnu.org Cc: Wojtek Kosior , Lars-Dominik Braun , jgart X-Debbugs-Original-Xcc: Lars-Dominik Braun , jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168909929026875 (code B ref 64573); Tue, 11 Jul 2023 18:15:01 +0000 Received: (at 64573) by debbugs.gnu.org; 11 Jul 2023 18:14:50 +0000 Received: from localhost ([127.0.0.1]:51005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHsw-0006zP-CT for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:50 -0400 Received: from koszko.org ([93.95.227.159]:49658) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHsu-0006zH-KX for 64573@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FphfeolugLMMuFUtWAnUxa/GCZAj9KkOVqHLL8GObFs=; b=g3aws3G1f44MCUkrKS62Eq1fg6 IVdIQ40bYFoXDGw/YGiiGnqQc37MMm4HOd45jmUpEzQ18eyTr77SlBUBlcQCpGK7mFHqcpwL8U1kD LdzqTKvIPuJIgp87uh2v5ceXMqZkuDJakoWQwt1bT6Y82nhJipCo6RHBOh+bwbX9JYgV+g4KLsD72 M0gGUGwWF+k6JX725l1iiqeyZ9O8WRYgMobVXGIA3U9P7KiugijL4OnQA5A26QcviUkXI8IEzMUwp IU8RElpIyoImsio4mPxuFGn5reW+RhpYUJTV3kq+T2D3tpgzgtQWw6zMekkXlkYmMdB4LSWXDyv1l ZWyQ6rgz3xqRAGCPvmFTHFdhCIjcJ6wygmU+Xdh6c/8BK8p26/l0djSXMS4YyEmHlMx1fA+YwaH26 3xArYCuFC2Hzr2Sp9bV2RJ1J2wEpdmsAidnfeg9fYxCRYWwRmCXC+YplSr5NQZdyg/di+LZwHZKAT 2PCjwusTIXwGORCUGUyqwXspvUj+zhRi169p8Jo1k6PRwbWKpLAlek/BfXkrbspd5T+iwyHdg8399 gSXgy0xzbj1lpKR0ICTYmkGUCMpRI1fZfaoSbpHP6aIT+VmmL25itCXS3MJus7bnNC56udS93pUhL rbWAtdBxZHQRbs3FQdTiyB2bpd8Sy/ZnB9L1Rlzis=; Received: from [77.252.47.107] (helo=localhost.localdomain) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qJHst-0007hX-RB; Tue, 11 Jul 2023 20:14:48 +0200 From: Wojtek Kosior Date: Tue, 11 Jul 2023 20:14:38 +0200 Message-Id: <9a11c2f1af6036714c5e998ddf2554f34da4ffe2.1689093931.git.koszko@koszko.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * guix/build/python-build-system.scm (wrap): Define PYTHONNOUSERSITE for programs so they don't incorrectly pick up local, pip-installed libraries. --- guix/build/python-build-system.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-system.scm index aa04664b25..93aafc4aa9 100644 --- a/guix/build/python-build-system.scm +++ b/guix/build/python-build-system.scm @@ -241,12 +241,16 @@ (define* (wrap #:key inputs outputs #:allow-other-keys) (define %sh (delay (search-input-file inputs "bin/bash"))) (define (sh) (force %sh)) - (let* ((var `("GUIX_PYTHONPATH" prefix - ,(search-path-as-string->list - (or (getenv "GUIX_PYTHONPATH") ""))))) + (let* ((var-pythonpath `("GUIX_PYTHONPATH" prefix + ,(search-path-as-string->list + (or (getenv "GUIX_PYTHONPATH") "")))) + ;; Harden applications by preventing Python from automatically + ;; picking up libraries in user site directory. + (var-usersite '("PYTHONNOUSERSITE" = ("GUIX_WRAPPER")))) (for-each (lambda (dir) (let ((files (list-of-files dir))) - (for-each (cut wrap-program <> #:sh (sh) var) + (for-each (cut wrap-program <> #:sh (sh) + var-pythonpath var-usersite) files))) bindirs))) -- 2.40.1 From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 2/3] gnu: python-pip: Enable user site even with PYTHONNOUSERSITE Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: lars@6xq.net, jgart@dismail.de, guix-patches@gnu.org Resent-Date: Tue, 11 Jul 2023 18:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64573@debbugs.gnu.org Cc: Wojtek Kosior , Lars-Dominik Braun , jgart X-Debbugs-Original-Xcc: Lars-Dominik Braun , jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168909929526899 (code B ref 64573); Tue, 11 Jul 2023 18:15:02 +0000 Received: (at 64573) by debbugs.gnu.org; 11 Jul 2023 18:14:55 +0000 Received: from localhost ([127.0.0.1]:51011 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHt0-0006zh-OX for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:55 -0400 Received: from koszko.org ([93.95.227.159]:49660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHsy-0006zX-EY for 64573@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=s9zli9yJkgHmVaocarH55BXajJ4+aUrC8udkYnUWFo8=; b=UM+RRRi/Ee14Mr21XhJttHqfuv R14+V2lf5MpOjZXPR4qvDnDe0DN+GWbcfbRf1DtRnkEmwLbqESmE0R47MLmMlAIL5HuXvNo+vPGVn CgUnFdFMOIwE0/53kbwmEXXABgB8POaoQSZGFblpGLbNkVPg3w9SPqePafu5hBmhQ4lSQl/lRlUaq +6Ud22MXWJidfuAnSJwovT9gY3zAs1z8DOftsFH0gq3ummA4CZI3sj/RQPN0zIAZSqLpEAzgYUKnP QdpdkmtwaxgjF9mu3agV9Qx32zCnm1iJEVrzysBvOdHtV3Rvge0/+BJBdM+0yps3OWZH9B0XHNOqT ZQR3z++V4t3dRjLHmKkeIIbPKD+giTZgCC8ykOi600NfQFRm5ztQ2ThZCleA1tDn7nk6CeEwReKl/ o2Bu8uCEALCDVcgBlAm63kNCqck6Cx5zx7fR3N6LBcSwCGco5I+41EmdFh0J1xRoL87uTNwN/k8q6 qiyjsOCEYq1pJiFwLcC5UTaBngB0cz8yYx7M0T3BtKzDTu+jky/2F7clVSwyS44ZLM5S9fEITglQj Gp1xNofP9qID1DjERI7a+yRBAeKH/sUuYggDHfJ3PqxOxFfPjnP36R2JF4G/TpKPl6fg74W1wgoXd Kz60mcRQiwdJT8hFqGvtbMOKyPIXDmIG9QASM10zc=; Received: from [77.252.47.107] (helo=localhost.localdomain) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qJHsx-0007hX-N5; Tue, 11 Jul 2023 20:14:51 +0200 From: Wojtek Kosior Date: Tue, 11 Jul 2023 20:14:39 +0200 Message-Id: <6165ff7042c6d1269a471924e7e383be04f6c0da.1689093931.git.koszko@koszko.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/python-build.scm (python-pip): Patch pip to allow installing to user site dir when PYTHONNOUSERSITE is set by Guix wrapper script to 'GUIX_WRAPPER' string. --- gnu/packages/python-build.scm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gnu/packages/python-build.scm b/gnu/packages/python-build.scm index 154c97e9e4..54d12f3fdc 100644 --- a/gnu/packages/python-build.scm +++ b/gnu/packages/python-build.scm @@ -269,7 +269,15 @@ (define-public python-pip "0jnk639v9h7ghslm4jnlic6rj3v29nygflx1hgxxndg5gs4kk1a0")))) (build-system python-build-system) (arguments - '(#:tests? #f)) ; there are no tests in the pypi archive. + `(#:tests? #f ;there are no tests in the pypi archive + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'allow-installing-to-user-site + (lambda _ + (substitute* "src/pip/_internal/commands/install.py" + (("( *if not site\\.ENABLE_USER_SITE):" match if-clause) + (string-append if-clause + " and not os.environ['PYTHONNOUSERSITE'] == 'GUIX_WRAPPER':")))))))) (home-page "https://pip.pypa.io/") (synopsis "Package manager for Python software") (description -- 2.40.1 From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 3/3] guix: build: python-build-system: Honor disable-user-site? argument Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: lars@6xq.net, jgart@dismail.de, guix-patches@gnu.org Resent-Date: Tue, 11 Jul 2023 18:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64573@debbugs.gnu.org Cc: Wojtek Kosior , Lars-Dominik Braun , jgart X-Debbugs-Original-Xcc: Lars-Dominik Braun , jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168909929626907 (code B ref 64573); Tue, 11 Jul 2023 18:15:02 +0000 Received: (at 64573) by debbugs.gnu.org; 11 Jul 2023 18:14:56 +0000 Received: from localhost ([127.0.0.1]:51013 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHt2-0006zv-74 for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:56 -0400 Received: from koszko.org ([93.95.227.159]:49662) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHsz-0006ze-LY for 64573@debbugs.gnu.org; Tue, 11 Jul 2023 14:14:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=P4j8jnmrCkTEWrV7StmOn94mZDOakLmy64o7dC1jpIM=; b=SbepEovkyAc6neIJLybIFEAJmB WBBWnKFwDpl1wBIzNRwK5yBbq8LQLYOmb+f//N9gdCl6ALRLmzSx6SIfLGS0KYOiAPAIS7S7YoItl g/OI0P7WkH5czQp5UWLsOXitqU0JRzqXrH2MW+8o1ie71a6IiVySQkLm6HinMRxRZsf4nl9rfDaIf ecZkZpKIi1R533yKsEH9ZixZGWa4NYUezv47W+yVB7LUWe50ZNTSw0tb8b2BZYR5lLmzaP5WmkkPt IXq6SPBqp8zNDThOzADMdqqmJuiDZKa3tQ8EfeA3ev+0YlytMKjRmId+FuL0DRrFnM1KGY7RUjdtf zLRpIHO/C2Pdxs8Q2ouefbeX9Hu2TR8tsGWVgsLD1S/wCGXKgYRUbcg4oGHczignO3SYwD1iBlyCu U9/j4Nl+JmIPbrvnferqR4nviMKWkIHAOsW1cfoO3uXG+4ZPmNMoFjtkV4BcD0jmxNme/UXH7lkQQ e4URWIvA5Fj7ea2986qAK7UXnmnppAG7j/c98IE0fYzY31pfgt+rcwEjEOnN752eQ1kI1JQHismN1 uTEGXUtrjLkn32VQgGgeOEcRcQdbirHhoCBkKk+v2noJJMkH5q+s+PZZex9viQBbkbgYuIv2FTrgC WjZh6UtUXraSaO93T/PgaSy+/XEAXG5hcAu450s08=; Received: from [77.252.47.107] (helo=localhost.localdomain) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qJHsy-0007hX-Td; Tue, 11 Jul 2023 20:14:53 +0200 From: Wojtek Kosior Date: Tue, 11 Jul 2023 20:14:40 +0200 Message-Id: X-Mailer: git-send-email 2.40.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * guix/build/python-build-system.scm (wrap): Only define the PYTHONNOUSERSITE wrapper variable if keyword argument disable-user-site? evaluates to true. * guix/build-system/python.scm (python-build): Pass disable-user-site? argument to the build side with the default of #t. --- guix/build-system/python.scm | 2 ++ guix/build/python-build-system.scm | 31 +++++++++++++++++------------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/guix/build-system/python.scm b/guix/build-system/python.scm index cca009fb28..dd86cbd4bf 100644 --- a/guix/build-system/python.scm +++ b/guix/build-system/python.scm @@ -171,6 +171,7 @@ (define* (python-build name inputs (tests? #t) (test-target "test") (use-setuptools? #t) + (disable-user-site? #t) (configure-flags ''()) (phases '%standard-phases) (outputs '("out")) @@ -192,6 +193,7 @@ (define* (python-build name inputs #:source #+source #:configure-flags #$configure-flags #:use-setuptools? #$use-setuptools? + #:disable-user-site? #$disable-user-site? #:system #$system #:test-target #$test-target #:tests? #$tests? diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-system.scm index 93aafc4aa9..959d062bb2 100644 --- a/guix/build/python-build-system.scm +++ b/guix/build/python-build-system.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2021 Lars-Dominik Braun ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2023 Wojtek Kosior ;;; ;;; This file is part of GNU Guix. ;;; @@ -222,7 +223,7 @@ (define* (install #:key inputs outputs (configure-flags '()) use-setuptools? (invoke "python" "-m" "compileall" "--invalidation-mode=unchecked-hash" out)))) -(define* (wrap #:key inputs outputs #:allow-other-keys) +(define* (wrap #:key inputs outputs disable-user-site? #:allow-other-keys) (define (list-of-files dir) (find-files dir (lambda (file stat) (and (eq? 'regular (stat:type stat)) @@ -241,18 +242,22 @@ (define* (wrap #:key inputs outputs #:allow-other-keys) (define %sh (delay (search-input-file inputs "bin/bash"))) (define (sh) (force %sh)) - (let* ((var-pythonpath `("GUIX_PYTHONPATH" prefix - ,(search-path-as-string->list - (or (getenv "GUIX_PYTHONPATH") "")))) - ;; Harden applications by preventing Python from automatically - ;; picking up libraries in user site directory. - (var-usersite '("PYTHONNOUSERSITE" = ("GUIX_WRAPPER")))) - (for-each (lambda (dir) - (let ((files (list-of-files dir))) - (for-each (cut wrap-program <> #:sh (sh) - var-pythonpath var-usersite) - files))) - bindirs))) + (let ((vars (filter identity + `(("GUIX_PYTHONPATH" prefix + ,(search-path-as-string->list + (or (getenv "GUIX_PYTHONPATH") ""))) + ;; Harden applications by preventing Python from + ;; automatically picking up libraries in user site + ;; directory. + ,(and disable-user-site? + '("PYTHONNOUSERSITE" = ("GUIX_WRAPPER"))))))) + (for-each (lambda (var) + (for-each (lambda (dir) + (let ((files (list-of-files dir))) + (for-each (cut wrap-program <> #:sh (sh) var) + files))) + bindirs)) + vars))) (define* (rename-pth-file #:key name inputs outputs #:allow-other-keys) "Rename easy-install.pth to NAME.pth to avoid conflicts between packages -- 2.40.1 From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: Lars-Dominik Braun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 16 Jul 2023 08:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Wojtek Kosior Cc: 64573@debbugs.gnu.org, jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.16894977533973 (code B ref 64573); Sun, 16 Jul 2023 08:56:02 +0000 Received: (at 64573) by debbugs.gnu.org; 16 Jul 2023 08:55:53 +0000 Received: from localhost ([127.0.0.1]:46777 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qKxXl-000121-Ew for submit@debbugs.gnu.org; Sun, 16 Jul 2023 04:55:53 -0400 Received: from mout-p-202.mailbox.org ([80.241.56.172]:35350) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qKxXi-00011k-Ut for 64573@debbugs.gnu.org; Sun, 16 Jul 2023 04:55:52 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4R3fFB6xgHz9sZg; Sun, 16 Jul 2023 10:55:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001; t=1689497743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xkZM1V63uVRuVDNkKkuzeuyxNaBjwwSixf+zWrJ7GBk=; b=XljvRchx9eb+5oTcStZhdBLSDAOKowkhrLxIBXCmm7VztTeMTZEyncTaLDnITv9r2tpht+ Fk7r33LDqljh/vuvQvoKrfJOR9ugDi8hu6OkXs15vG5K+QOCr/bbKK6ZkfHILxyRWcKSbM c5Of7evyJdxJSZ3pgqTVjbGQ0SFXY6gnjFR1nEpf3rY0nGHJ1XSObrlYvPmw2WsXXUCLf6 BB0y0qVI3Ia5S9MwZPubUvr/FEZSQa+4h3P4JNX7RuxH8nP7we/yjvb+X4TNCLUakfuS0f ZxcKiRTfRzJgAD37gaB/rGnJ30/yWaPSHn33MjGcW4TDaX5LxtudDsfXLcNgKw== Date: Sun, 16 Jul 2023 10:55:38 +0200 From: Lars-Dominik Braun Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4R3fFB6xgHz9sZg X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, > These patches modify the python-build-system's procedure responsible for > wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable > which makes Python applications disregard the user site dir when loading > libraries. if we’re patching applications like pip anyways, what stops us from just setting site.ENABLE_USER_SITE to False globally in Python’s site.py? Note that our python package currently (unfortunately) bundles and exposes pip (through the pip3 command), which would not be affected by your change to the python-pip package. Also note that we have *two* build systems for Python right now (python-build-system and pyproject-build-system) and the new flag disable-user-site? would have to be added to both, even though they share the wrap phase. Cheers, Lars From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Jul 2023 14:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Lars-Dominik Braun Cc: 64573@debbugs.gnu.org, jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168960380226953 (code B ref 64573); Mon, 17 Jul 2023 14:24:02 +0000 Received: (at 64573) by debbugs.gnu.org; 17 Jul 2023 14:23:22 +0000 Received: from localhost ([127.0.0.1]:50760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLP8D-00070f-Mo for submit@debbugs.gnu.org; Mon, 17 Jul 2023 10:23:22 -0400 Received: from koszko.org ([93.95.227.159]:49666) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLP89-00070S-CD for 64573@debbugs.gnu.org; Mon, 17 Jul 2023 10:23:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/TSl1n/BWOtq4qrCLHWVU79vEGVVI0JkVzWpu96h9oQ=; b=shbNLF5OV4OrmlfAWunwvHDtAZ iGswCybDFZmhfkxk7jyPhNFarZ7B+HsrIqDcBjld2r1TUj/WIXmWeBTWfE3W7fBydknDm1+oswkeL /6Kba7cpu548edIT8EGUUjIs5VBgb3k5p3W1IlabMMbHP4+pMQzJBVMeGFmpWlqqo5Lg9tdwPTHfb lF+Mgvnp8qa6cXYdRBbO0LNss87Glfo6Y0Ose9ruLrU4EKZ4Kca4GCfOFYF+PrWxXTKXVoST7TOMa pBef1gdHz8d2rjkaOpHMOz0OCrHLCJUMebAUoEVUCNI2XaqQpdQowvqK0MgY7al5IQGfZvo83yxoP SLL+6/LCwNixHmwKFkMpZ7uaVpXJgf1YWNadudpVbE5H9Hp4bfdkMH4iBaQwlafH4puTePSkx/syr mB8eN5qoEd5D+wPtgjSLEpXCpGGHoiBM9LZbbA0c3gnVVvtcN8bY0Du/8+zCWuWqXajx9OE8mzGZ4 K92gyA1CC9CyfVh1T7GAMoL7CIHQ58y8+zFz4fKPbl542mMwi88SNQReILAweV2ehqz3cdc+TGg50 uQgkXlkOqDCvpQfXTnD+NJCRgwYBEXY2wpDYektiKiAjgExDGgCTVV1UQSRKALiaZ7y+MhIt9DowE mdK3/V5xiMozT68uQzc/N8ZiGKYJBobHjCeTAcYxc=; Received: from [77.252.47.76] (helo=localhost) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qLP82-0008K7-Dx; Mon, 17 Jul 2023 16:23:10 +0200 Date: Mon, 17 Jul 2023 16:23:08 +0200 From: Wojtek Kosior Message-ID: <20230717162308.7aea435b.koszko@koszko.org> In-Reply-To: References: X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/mcf1X.ZWyhah+TmBLz6.xje"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Sig_/mcf1X.ZWyhah+TmBLz6.xje Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, thanks for reviewing the series > > These patches modify the python-build-system's procedure responsible for > > wrapping executables. The modified proc defines a PYTHONNOUSERSITE vari= able > > which makes Python applications disregard the user site dir when loading > > libraries. =20 >=20 > if we=E2=80=99re patching applications like pip anyways, what stops us fr= om > just setting site.ENABLE_USER_SITE to False globally in Python=E2=80=99s > site.py? I think it would need to be set to True, not False, to have the desired effect on Guix-installed pip application. However, we want our change to only affect applications installed with Guix. So that the user could theoretically still do e.g. python3 -m pip install --ignore-installed pip ~/.local/bin/pip install xmldiff Rn I don't see a better way to achieve this than patching python-build-system and applications like pip. > Note that our python package currently (unfortunately) bundles and > exposes pip (through the pip3 command), which would not be affected by > your change to the python-pip package. I haven't been aware of that, thanks. Fortunately, the bundled pip is also unaffected by the change to python-build system. So although this patch series fails to harden it, it doesn't break it either. > Also note that we have *two* build systems for Python right now > (python-build-system and pyproject-build-system) and the new flag > disable-user-site? would have to be added to both, even though they > share the wrap phase. Fair point, thanks. Should I send an updated patch series that also adds this flag to pyproject-build-system? And should I include a patch that modifies the python's bundled pip analogously to how I did with the python-pip package? Best, Wojtek --Sig_/mcf1X.ZWyhah+TmBLz6.xje Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZLVOzAAKCRBLxSIcWnn9 Gpl8AQC1fkG5mkyEYS6Azi61ucYFfJ8/yVQkB94diE2gQtVTqQEAlqUuI1w8D1w+ OIU5EYtBFIMEnq4kB3I+zEGSCdgj3Qo= =Uxcn -----END PGP SIGNATURE----- --Sig_/mcf1X.ZWyhah+TmBLz6.xje-- From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: Lars-Dominik Braun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Jul 2023 09:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Wojtek Kosior Cc: 64573@debbugs.gnu.org, jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168967332713795 (code B ref 64573); Tue, 18 Jul 2023 09:43:01 +0000 Received: (at 64573) by debbugs.gnu.org; 18 Jul 2023 09:42:07 +0000 Received: from localhost ([127.0.0.1]:51578 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLhDb-0003aQ-98 for submit@debbugs.gnu.org; Tue, 18 Jul 2023 05:42:07 -0400 Received: from mout-p-102.mailbox.org ([2001:67c:2050:0:465::102]:54500) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLhDZ-0003Zs-AY for 64573@debbugs.gnu.org; Tue, 18 Jul 2023 05:42:06 -0400 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4R4v9Z423Jz9sm9; Tue, 18 Jul 2023 11:41:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001; t=1689673314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KLpz87/voxvuFVfX0/Q0GOKn4rYWNy5EumURW7+Tha8=; b=s7TD+0eowJbB0HmHVyQ5yCFwIkdNieIU4TJ8XfBdYq8ftoYgGxSEkTxgpkUoXOdc3/Y7s5 PSX2XE8SjUfDxaFqdCsy5qWm+kQpY78p7SVplDDp/y034Y+ftbtsFQAAn5WOrwHnW9El6g oFgck+UvBsVYQEeSKBrPlZJxhbAdiLkA4AHYxHOfx2IfcjClKjg/Azm7rG5pBIHtq1s+65 3taL52ftXS6/DFMikPsbsxYDf/gXTiEoVqaCIWsarYol5b/nEfL1EQfuQNefEyDfk+lCv8 Oj9+JWN6tJYPT8HEneSZtvdQPqd7w0nhiYWcTT/X1TzLo1kF2scbuue2hGWFkA== Date: Tue, 18 Jul 2023 11:41:48 +0200 From: Lars-Dominik Braun Message-ID: References: <20230717162308.7aea435b.koszko@koszko.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230717162308.7aea435b.koszko@koszko.org> X-Rspamd-Queue-Id: 4R4v9Z423Jz9sm9 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, > I think it would need to be set to True, not False, to have the desired > effect on Guix-installed pip application. to clarify, the comment in site.py says set it to False to disable the feature or True to force the feature and my impression was that we want to disable the user site dir by default (i.e. disable the feature), right? > However, we want our change to only affect applications installed with > Guix. So that the user could theoretically still do e.g. > > python3 -m pip install --ignore-installed pip > ~/.local/bin/pip install xmldiff > > Rn I don't see a better way to achieve this than patching > python-build-system and applications like pip. I can still `python3 -m pip install` with the explicit `--user` switch, even when the user site dir is disabled globally via ENABLE_USER_SITE=False. The only thing that changes is the default search path. So that library will only be available if I explicitly add .local/lib/pythonX/site-packages to PYTHONPATH. Shouldn’t that also solve the original issue of Guix-installed applications picking up random libraries from the user site dir. Cheers, Lars From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Jul 2023 12:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Lars-Dominik Braun Cc: 64573@debbugs.gnu.org, jgart Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168968496112888 (code B ref 64573); Tue, 18 Jul 2023 12:56:02 +0000 Received: (at 64573) by debbugs.gnu.org; 18 Jul 2023 12:56:01 +0000 Received: from localhost ([127.0.0.1]:52056 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLkFD-0003Ln-Sv for submit@debbugs.gnu.org; Tue, 18 Jul 2023 08:56:00 -0400 Received: from koszko.org ([93.95.227.159]:49668) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLkFA-0003La-9s for 64573@debbugs.gnu.org; Tue, 18 Jul 2023 08:55:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NM46s8rYdhp1xWV9iXskF80n5qBHDn4jz6HBh9xCpEM=; b=sw4ZmWdhWfRs2IQn3qVVzjlbOE Kf6ac0QjYzmColXYtm5j/viRV1EOUhcoDt1fyKNSocmmDEmzSbp7OgyBCwtRpgxnhqxKfMHIrksSF x1Iv7PVhIzFwp5s30fufmi6eTPHeT84XJaEVhcJ5h/VhhbvL/ApqkDXzFmIl9T6hD+IIVZqueXzAn Wjc3GCxru8dAEim6uXOxh2HHrQfUHvESPv+oyTTM4bxLrq1mShkoAkopAIMmD0YoB+ZW3D8W2wPi8 8xe8+D0asNeP679204cyOniPcx8SoVEoq/R9qRuOqmzdI1/LOaNLEqO3gcb77V75roFsCgfEq4J0I zLmBjykiDdvoJC8uFBsQa9LQwEvlITxE4uUsHB5WzjuzLvvfXIHasf3tGb/K2nqJ2b2mVKc5Hez8a K9eZZlmfdO+a4QEZYvuzdt8HH0iIxkMHe+Y4CaqnyPzMyz1HRSK0xsKWIaTV7UsFC+SvfYIDJgYNh A2KwSEu2hRecID+ZQATh5MY61v0Uz+YJpci0gK8rCZs1EE1H0XWO1Xan4fYigWdQF3oUAyfFTC/IP QvqVBjU4gj2x3Keuags87VjfGFF9GnuGps/oRX9D6IrMPzO8HC4oCdO0TrSuEuXrjMiq+Uw/tENHg Myrj9/jfb/XqGzf9Thzdt76gTcRSI/tIEINDPwTPw=; Received: from [77.252.47.76] (helo=localhost) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qLkF3-0007x0-Lb; Tue, 18 Jul 2023 14:55:49 +0200 Date: Tue, 18 Jul 2023 14:55:47 +0200 From: Wojtek Kosior Message-ID: <20230718145547.28b3ffd7.koszko@koszko.org> In-Reply-To: References: <20230717162308.7aea435b.koszko@koszko.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/o4+FqXdPLLbw.vpdFK.Bu3t"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Sig_/o4+FqXdPLLbw.vpdFK.Bu3t Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi again! > > I think it would need to be set to True, not False, to have the desired > > effect on Guix-installed pip application. =20 >=20 > to clarify, the comment in site.py says >=20 > set it to False to disable the feature or True to force the feature >=20 > and my impression was that we want to disable the user site dir by default > (i.e. disable the feature), right? Oh, you were right. For some reason I previously misunderstood what you actually wanted to change. > > However, we want our change to only affect applications installed with > > Guix. So that the user could theoretically still do e.g. > >=20 > > python3 -m pip install --ignore-installed pip > > ~/.local/bin/pip install xmldiff > >=20 > > Rn I don't see a better way to achieve this than patching > > python-build-system and applications like pip. =20 >=20 > I can still `python3 -m pip install` with the explicit `--user` > switch, even when the user site dir is disabled globally via > ENABLE_USER_SITE=3DFalse. The only thing that changes is the default > search path. So that library will only be available if I explicitly add > .local/lib/pythonX/site-packages to PYTHONPATH. It's useful to know `--user` does the job here. > Shouldn=E2=80=99t that also solve the original issue of Guix-installed > applications picking up random libraries from the user site dir. Yes, it should. I still see some benefits of using PYTHONNOUSERSITE env var, though. 1. The hardening can be easily disabled for a single application if some not yet known need arises[1]. 2. The change is limited to just applications =E2=80=94 people running `python3` shall have it behave just as it used to so far. 3. As a result of 2., there's no need to explicitly add something to PYTHONPATH when using the user site dir. I'm trying to imagine what I'd expect if I were just starting to use Guix. And I believe there'd be least astonishment if both the user site dir were working out-of-the-box and the applications were working independently of what one puts in that dir. During this discussion one more idea came to mind. There might exist a different way of solving the problem. I.e. to keep user site dir enabled, then make - GUIX_PYTHONPATH take precedence over both user site dir and PYTHONPATH whenever a Guix-installed application is launched through its wrapper and - PYTHONPATH with user site dir take precedence over GUIX_PYTHONPATH in all other cases. This probably wouldn't require patching applications like pip. And would also leave the control over the PYTHONNOUSERSITE variable and the option it affects to the user. Should I try doing this? Wojtek [1] Perhaps with ENABLE_USER_SITE=3DFalse this can also be achieved by the `-S` flag to Python (although won't this approach be less reliable?). -- (sig_start) website: https://koszko.org/koszko.html fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A follow me on Fediverse: https://friendica.me/profile/koszko/profile =E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyYXR= lZCBtZSBmcm9tIEhpbQ=3D=3D =E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbWUg= SGlzIGZyaWVuZD8=3D -- (sig_end) On Tue, 18 Jul 2023 11:41:48 +0200 Lars-Dominik Braun wrote: > Hi, >=20 > > I think it would need to be set to True, not False, to have the desired > > effect on Guix-installed pip application. =20 >=20 > to clarify, the comment in site.py says >=20 > set it to False to disable the feature or True to force the feature >=20 > and my impression was that we want to disable the user site dir by default > (i.e. disable the feature), right? >=20 > > However, we want our change to only affect applications installed with > > Guix. So that the user could theoretically still do e.g. > >=20 > > python3 -m pip install --ignore-installed pip > > ~/.local/bin/pip install xmldiff > >=20 > > Rn I don't see a better way to achieve this than patching > > python-build-system and applications like pip. =20 >=20 > I can still `python3 -m pip install` with the explicit `--user` > switch, even when the user site dir is disabled globally via > ENABLE_USER_SITE=3DFalse. The only thing that changes is the default > search path. So that library will only be available if I explicitly add > .local/lib/pythonX/site-packages to PYTHONPATH. >=20 > Shouldn=E2=80=99t that also solve the original issue of Guix-installed > applications picking up random libraries from the user site dir. >=20 > Cheers, > Lars >=20 --Sig_/o4+FqXdPLLbw.vpdFK.Bu3t Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZLaL0wAKCRBLxSIcWnn9 GtQZAQDCqxjjtk6IaawNvRux6xIV8n9RDj4w9ggg5+kuqNargwD/ajkOlXhXLvlQ GUcNPVhfgcfSdRBvPOCjMCjAVemrfQs= =XFdx -----END PGP SIGNATURE----- --Sig_/o4+FqXdPLLbw.vpdFK.Bu3t-- From unknown Fri Jun 20 07:17:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64573] [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Resent-From: =?UTF-8?Q?=E5=AE=8B=E6=96=87=E6=AD=A6?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 22 Jul 2023 00:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Wojtek Kosior Cc: jgart , 64573@debbugs.gnu.org, Lars-Dominik Braun Received: via spool by 64573-submit@debbugs.gnu.org id=B64573.168998582910434 (code B ref 64573); Sat, 22 Jul 2023 00:31:01 +0000 Received: (at 64573) by debbugs.gnu.org; 22 Jul 2023 00:30:29 +0000 Received: from localhost ([127.0.0.1]:35063 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qN0Vw-0002iE-RX for submit@debbugs.gnu.org; Fri, 21 Jul 2023 20:30:29 -0400 Received: from mail.envs.net ([5.199.136.28]:57770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qN0Vt-0002i0-A2 for 64573@debbugs.gnu.org; Fri, 21 Jul 2023 20:30:26 -0400 Received: from localhost (mail.envs.net [127.0.0.1]) by mail.envs.net (Postfix) with ESMTP id D428038A1914; Sat, 22 Jul 2023 00:30:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=envs.net; s=modoboa; t=1689985821; bh=mWgCY55MtaQlC2VUfNTMAySWTkQnhQaE/vlEUalz3vc=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=BsBjmm7RsVHW3B8ihYCJ+uPgdek9ZHMFeCwJPDDZIRVRyf1bMp9Qznk5LbQ48WyeQ JbJYzdAe3mCGX93fwHKJKokx8GeGA6HlJpj3eNcPoZLMoqw+MFog1Bjlmdvq39fflf VVfQc54tjZ4E1iA0zvThBI6XYRS1QC6TOoMVfucrSjOxEEqHhvW4WBmjyphPn88jo5 nXpJ/BMAUo23GCJwfZIEtwa0qrC/AYWPui27Xf7knSML9yGo0BRiJI6sADGlTznjkE uGaPQgqOAtYj1CrpX3RTjbUyauE6UGzt+vsTAT9qfW8FjuhRdn9ZMZOPLsUIoKrPMb AER9R3TU/6MEy5e/wAi3j6L1/AC4imnfMWCbt4HB/yQMACwLP2zcBKzjJZYqpLtBaI 1i7sV2+cjMl9ceLhSrsBFor/QpXBjvqjorz9trEzq3ygwT5slXR45gAD+Rqcr4/Qpa ks8t+PV0T6FH1OirInmTnEx6Lm+4Vtgg3bdVIenwhHD9JT5rKONBHFr2ytTRQoIsWH XmhOVVV5p55Yhh7SivlqGlBRbTJEc5pKTpF0vb1yWaWYeei3fVQm54Ue3joBmMhnyq H6KUIqd9O0BX0mRfB2jz6ESyGxmbjJFi3HJD+lPDE46f3Z9OCyDVeqxCSYiUujtTf+ sIdJOXX3Rd8b0UHkk3d2gy2o= X-Virus-Scanned: Debian amavisd-new at mail.envs.net Received: from mail.envs.net ([127.0.0.1]) by localhost (mail.envs.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id z2qbzaQtsEpF; Sat, 22 Jul 2023 00:30:15 +0000 (UTC) Received: from localhost (unknown [117.174.235.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.envs.net (Postfix) with ESMTPSA; Sat, 22 Jul 2023 00:30:15 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id b68832e2; Sat, 22 Jul 2023 00:30:04 +0000 (UTC) From: =?UTF-8?Q?=E5=AE=8B=E6=96=87=E6=AD=A6?= References: Date: Sat, 22 Jul 2023 08:30:04 +0800 In-Reply-To: (Wojtek Kosior's message of "Tue, 11 Jul 2023 20:12:12 +0200") Message-ID: <875y6cokj7.fsf@envs.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Wojtek Kosior writes: > Python applications used to prioritize loading their libraries from so-ca= lled > "user site dir" (usually in ~/.local/lib/python/site-packages). = The > libraries would only be loaded from /gnu/store when not found in the user= site > dir. This used to cause hard-to-diagnose bugs like [1] when a user happen= ed to > have a similar but incompatible version of a library installed via pip. > > These patches modify the python-build-system's procedure responsible for > wrapping executables. The modified proc defines a PYTHONNOUSERSITE variab= le > which makes Python applications disregard the user site dir when loading > libraries. > > While this solution does harden most Python applications, it can also bre= ak a > few ones like pip that operate on the user site dir itself. To work around > that, the second patch introduces a change to pip to allow installing to = the > user site directory even when PYTHONNOUSERSITE is set by the Guix-created > wrapper script. Hello, I think we can let pip just break as other distros (eg: ArchLinux and Debian) with PEP-668. https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/mai= n/EXTERNALLY-MANAGED https://pythonspeed.com/articles/externally-managed-environment-pep-668/ https://peps.python.org/pep-0668/#recommendations-for-distros With usage guide towards virtual environments, guix shell, or pipx (not packaged yet). Consider other distros does the same thing, this should be safer. What do you think? =F0=9F=A4=94 From unknown Fri Jun 20 07:17:31 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Wojtek Kosior Subject: bug#64573: closed (Re: bug#64573: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir) Message-ID: References: <20230726111451.4700f17f.koszko@koszko.org> X-Gnu-PR-Message: they-closed 64573 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 64573@debbugs.gnu.org Date: Wed, 26 Jul 2023 09:15:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1690362902-26940-1" This is a multi-part message in MIME format... ------------=_1690362902-26940-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #64573: [PATCH 0/3] guix: build: python-build-system: Have applications by = default ignore non-Guix libraries in user site dir which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 64573@debbugs.gnu.org. --=20 64573: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D64573 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1690362902-26940-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 64573-close) by debbugs.gnu.org; 26 Jul 2023 09:15:00 +0000 Received: from localhost ([127.0.0.1]:47569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qOabk-000709-Bg for submit@debbugs.gnu.org; Wed, 26 Jul 2023 05:15:00 -0400 Received: from koszko.org ([93.95.227.159]:49674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qOabh-0006zy-OZ for 64573-close@debbugs.gnu.org; Wed, 26 Jul 2023 05:14:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=B5kvNX0PybBpre7ehFEhJUx+a7dzgaBpqAcZlR631w8=; b=OcoNmYGp/+5t8Sb9zUpja7O6Dh rnwke6vn3yGXi3Uo+kNUwYC4tHTseP4H/Wq5gjei1AwFu139TXU79ItHQpZ/m/4zslt9v5R80CBpI ljkQ4GLoYG7EFFdp4qFW8sDeyQ+C6xG2ciMO6Sszoan8F6Lnr3KAh9C26bOswwnZRLc0hgRfiOTWd yz+13XrTs+1iOS/V7bZFG6olfXi6tyq2Ja491zCSCJakL3BoaNKfTI0nB4Cfnf2PAWDs640xo2kvM F7s7HDl4nvWSVvQLUiGBjMPoO5P3Vx/bXbOVBypd+d0inX9rrvP/x0xH9SaLoLVgnbe9DIJ44n7oW BXNMDTje9pCCHNXfqE7h9tJlCRufqOxvY8/L8gaxYj3kRzCA6X2NsoGWVgH0/embeC6goPeo2aydw nBFAJ2i5lckDZKg+ceI5iSq4muqjCQb3dvde7pY5aOA/MG5MJPdskGt5S2DOPjb/JVZVJ9uKUMHNV SucQqPHI/RmDCIGJPIVORw+Wy6fwEtX2vs3PIGzzRC+qwStBLRrbOgo0nHRCmBOUAlqTHvrrtHQmH cqVnpWPGVW6ZAFOD87Hf3TA2NWvZ/zxI9uQu8nGvUE7EA9tvkO1bpbGUcVjspSxlxrrNLby+ap+Wp y+tpjBtDgN9o1s/VWaMRqTu10ioN+lkqXcmLOOnAc=; Received: from [77.252.47.76] (helo=localhost) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qOabd-0002EZ-ER; Wed, 26 Jul 2023 11:14:53 +0200 Date: Wed, 26 Jul 2023 11:14:51 +0200 From: Wojtek Kosior To: =?UTF-8?B?5a6L5paH5q2m?= Subject: Re: bug#64573: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Message-ID: <20230726111451.4700f17f.koszko@koszko.org> In-Reply-To: <875y6cokj7.fsf@envs.net> References: <875y6cokj7.fsf@envs.net> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/iUT1tOJTtk1cuHuORAu7yvb"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 64573-close Cc: jgart , Lars-Dominik Braun , 64573-close@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Sig_/iUT1tOJTtk1cuHuORAu7yvb Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > Hello, I think we can let pip just break as other distros (eg: ArchLinux > and Debian) with PEP-668. >=20 > https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/m= ain/EXTERNALLY-MANAGED > https://pythonspeed.com/articles/externally-managed-environment-pep-668/ > https://peps.python.org/pep-0668/#recommendations-for-distros >=20 > With usage guide towards virtual environments, guix shell, or pipx > (not packaged yet). >=20 > Consider other distros does the same thing, this should be safer. >=20 > What do you think? =F0=9F=A4=94 You're right, making pip break and recommend pipx seems like the right thing to do. I opened a new issue with patches that add python-pipx (haven't done anything related to the 'EXTERNALLY-MANAGED' file yet, tho). Thanks, Wojtek -- (sig_start) website: https://koszko.org/koszko.html fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A follow me on Fediverse: https://friendica.me/profile/koszko/profile =E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyYXR= lZCBtZSBmcm9tIEhpbQ=3D=3D =E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbWUg= SGlzIGZyaWVuZD8=3D -- (sig_end) On Sat, 22 Jul 2023 08:30:04 +0800 =E5=AE=8B=E6=96=87=E6=AD=A6 wrote: > Wojtek Kosior writes: >=20 > > Python applications used to prioritize loading their libraries from so-= called > > "user site dir" (usually in ~/.local/lib/python/site-packages)= . The > > libraries would only be loaded from /gnu/store when not found in the us= er site > > dir. This used to cause hard-to-diagnose bugs like [1] when a user happ= ened to > > have a similar but incompatible version of a library installed via pip. > > > > These patches modify the python-build-system's procedure responsible for > > wrapping executables. The modified proc defines a PYTHONNOUSERSITE vari= able > > which makes Python applications disregard the user site dir when loading > > libraries. > > > > While this solution does harden most Python applications, it can also b= reak a > > few ones like pip that operate on the user site dir itself. To work aro= und > > that, the second patch introduces a change to pip to allow installing t= o the > > user site directory even when PYTHONNOUSERSITE is set by the Guix-creat= ed > > wrapper script. =20 >=20 > Hello, I think we can let pip just break as other distros (eg: ArchLinux > and Debian) with PEP-668. >=20 > https://gitlab.archlinux.org/archlinux/packaging/packages/python/-/blob/m= ain/EXTERNALLY-MANAGED > https://pythonspeed.com/articles/externally-managed-environment-pep-668/ > https://peps.python.org/pep-0668/#recommendations-for-distros >=20 > With usage guide towards virtual environments, guix shell, or pipx > (not packaged yet). >=20 > Consider other distros does the same thing, this should be safer. >=20 > What do you think? =F0=9F=A4=94 --Sig_/iUT1tOJTtk1cuHuORAu7yvb Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZMDkCwAKCRBLxSIcWnn9 GkkBAP9B+S08IbxYDZT1kGhzs+tNMnLZHAfJcH6Y9weQ+nOE7wD/TN9axLNnbAUK ALqxBPJeK5QOE7uRhUrTdDWe6dEnUAk= =CWvW -----END PGP SIGNATURE----- --Sig_/iUT1tOJTtk1cuHuORAu7yvb-- ------------=_1690362902-26940-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 11 Jul 2023 18:12:40 +0000 Received: from localhost ([127.0.0.1]:50992 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHqq-0006vT-8q for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:12:40 -0400 Received: from lists.gnu.org ([209.51.188.17]:59356) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qJHqk-0006vF-R4 for submit@debbugs.gnu.org; Tue, 11 Jul 2023 14:12:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qJHqk-0005Rz-ES for guix-patches@gnu.org; Tue, 11 Jul 2023 14:12:34 -0400 Received: from koszko.org ([93.95.227.159]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qJHqi-0007yv-6r for guix-patches@gnu.org; Tue, 11 Jul 2023 14:12:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UZLmtaXhzxOKFnOpqUhuOOFvKTulsIoHSFjBybZnhAw=; b=dpMrDV/PQ94mKQuJGR1MGz3dnO LgxHgzNO4l8gqkSvFzT03y28iKhBM0SN6umSZH/YLRLWmEZa9Kftmznlwxl3y2Gezx6hP76QdjqeC 2rcDchb9wf7y/oU5uSxHvH2fggpjO8RLL7vt7OjqHieGZUiO0WPIDfKXfqu0xKCrnW5j1LixTlb0n RZJRwLmWVHiKzhnQk6G85OS2Pw0kzn9X3erLZx70S1QJII3+uVFq2Ng8beMXREH80Hd6cejABHkkW i2Jlf9nPs7aJrsYmDzzjAsa1GO2aTOvfdmKxEzMxGpkxVE1aQmAxHIt95MoMY9YX1tK0w553miEIY hrqRibEHiNu9B/PyP5IWiC5qrXDYkhNjHzmdmKFIb8Zm3U2TZ/3+Ruct+mf90OJfIHSerQwdmqvi0 TH5U5z2ebJJzzPCxWB2/ZWmy+x+lGIqFxg4p7z13j0ERs3NOb07O8cqS+RsPBpTvE+etLTeF9ZMuv IAS3qk5l2BCfeNjRXAPJkUz+SnjDODwd/n2PoQ3trnafj4zcXIfayGET0oIfLYK69PkApnWvmDJgB hQK+qTTr1C+hQEspuglIU2t65D3iiWKOfJj9kEURnHaKdWpEo0W/rlJXa+u7ATmrBMCSOrPM7Xwgq QFu0HqHV0TbA7/ica4j7MQzjCm5VF2DfGplzwncwY=; Received: from [77.252.47.107] (helo=localhost.localdomain) by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qJHqX-0007gL-Qg; Tue, 11 Jul 2023 20:12:21 +0200 From: Wojtek Kosior To: guix-patches@gnu.org Subject: [PATCH 0/3] guix: build: python-build-system: Have applications by default ignore non-Guix libraries in user site dir Date: Tue, 11 Jul 2023 20:12:12 +0200 Message-Id: X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Debbugs-Cc: Lars-Dominik Braun , jgart Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=93.95.227.159; envelope-from=koszko@koszko.org; helo=koszko.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Wojtek Kosior X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Python applications used to prioritize loading their libraries from so-called "user site dir" (usually in ~/.local/lib/python/site-packages). The libraries would only be loaded from /gnu/store when not found in the user site dir. This used to cause hard-to-diagnose bugs like [1] when a user happened to have a similar but incompatible version of a library installed via pip. These patches modify the python-build-system's procedure responsible for wrapping executables. The modified proc defines a PYTHONNOUSERSITE variable which makes Python applications disregard the user site dir when loading libraries. While this solution does harden most Python applications, it can also break a few ones like pip that operate on the user site dir itself. To work around that, the second patch introduces a change to pip to allow installing to the user site directory even when PYTHONNOUSERSITE is set by the Guix-created wrapper script. The third patch adds a boolean argument called disable-user-site? to python-build-system. Packagers can set this argument to #f on per-package basis to disable the hardening behavior in case it breaks some application. Note that in the long run, it might be beneficial (although more time-consuming) to leave disable-user-site? as #t everywhere and instead modify the problematic applications — as done here with python-pip. It might even be practical to only merge the first 2 patches from this series. Please note that virtualenvs and packages that operate on them are likely unaffected by this change. The initial bug doesn't even occur with virtualenvs. I tested the changes with ./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutils python-pip pip install xmldiff==2.4 echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py xmldiff --help Without any patches, the 4th line fails. With the patches applied, the 4th line succeeds and prints xmldiff's usage info [1] https://issues.guix.gnu.org/63912 Wojtek Kosior (3): guix: build: python-build-system: Don't process user site dir gnu: python-pip: Enable user site even with PYTHONNOUSERSITE guix: build: python-build-system: Honor disable-user-site? argument gnu/packages/python-build.scm | 10 +++++++++- guix/build-system/python.scm | 2 ++ guix/build/python-build-system.scm | 27 ++++++++++++++++++--------- 3 files changed, 29 insertions(+), 10 deletions(-) base-commit: 67e22584faaa558c2a5834a5013d77660ec45e85 -- 2.40.1 ------------=_1690362902-26940-1--