From nobody Tue Jul 12 17:00:49 2022 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 787B517FC613 for ; Tue, 12 Jul 2022 17:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lj6TG1jh1z3Wlv for ; Tue, 12 Jul 2022 17:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lj6TG0RQ4zrkV for ; Tue, 12 Jul 2022 17:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 26CH0oxQ060387 for ; Tue, 12 Jul 2022 17:00:50 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 26CH0oR1060386 for ports-bugs@FreeBSD.org; Tue, 12 Jul 2022 17:00:50 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 265176] lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools Date: Tue, 12 Jul 2022 17:00:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: ngie@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657645250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sovolMfHgR7wpwgeRrldLZuT6+hXIXT5/OZ6QHCN5TI=; b=dUi7c7QwUbmgpS85iyP0PJYV4TfxRXhFY7ImHzS4nCuEONLFr1ryUCoMvmNrmOeSMl5m0+ OeF1YDJAU83LP1ZSRf4zntBws9BT+Mdmj5LCunVknvmYAZICQYXhUu8opDNIlQ/fBJWlLt M4RcfKTq1mWJsUelioSkBMyGCebyHqsbjo3KJJBWDzI8RSZHbdH+eC/movu3Vvo8IluyT4 kShXuA6Zd6v0r0ZJHYcQhsDkiytjnD6ZQYsUK44ym5xUToP0eqTRiU7a9TotTHDkE+PwUB xI/oXsrfkVgrek6XbEnqQDuyrm7/+mUwb5t2+w/pT0nBq4Bb30aGWhBbzaygqg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657645250; a=rsa-sha256; cv=none; b=C6dsQyOdBA3zmizgFPwSHvWSiXiLz/ARiMgsvj25iWmYpob0s3jX4Wx0IXOmr3QJLZUK3Y Qmt0NtoTyDwZEAi0H7GUwXo+prGRuhdT7KKa8rkgUEDHfPm+LwfnBGQmNoAXF94U4rjWHR 0XcMlC37d8pvasl54/cPpG25bJdoZxSbLdjGkAX3EvJu1GQSz6bNnwchGJ1xBMCLNlTAFb TIg+vPH/8YyswQ1idlDBwjycAIpNwQ+QEE10J4m5nA7ihK8yhOJype6LOOgSqSRMfR8Yrl 01o9lPkNY5hk817rtMq0A9gfpFTG3+h8OAew2PMa7zMj4A/2uXn5MQpSk9kLVw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265176 Bug ID: 265176 Summary: lang/python3* distributes ensurepip, etc, which can break devel/py-pip and devel/py-setuptools Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: python@FreeBSD.org Reporter: ngie@FreeBSD.org Assignee: python@FreeBSD.org Flags: maintainer-feedback?(python@FreeBSD.org) The python interpreter provides setuptools/pip along with the interpreter f= or bootstrapping the pip and setuptools packages: https://docs.python.org/3/library/ensurepip.html . Using ensurepip from python is wrought with headaches though; using it can break systems in the following scenarios: 1. lang/python310 distributes pip/setuptools version X, whereas devel/py-pip requires pip/setuptools version Y. If version X > version Y and `python3.10 ensurepip --upgrade` is run by root, ensurepip will upgrade the system pack= age versions of pip/setuptools, resulting in files being installed to the system site-packages which no longer match the devel/py-pip@py310 installed files. 2. The root user has a non-permissive umask (007). If `python3.10 -m ensure= pip --upgrade` is run as root, the packages installed will not be accessible to unprivileged users (depending on group ownership), rendering packages which rely on setuptools (and the libraries it provides) unusable to unprivileged users. ensurepip should be completely removed from lang/python3* and instead provi= ded as a separate standalone package, e.g., devel/py-ensurepip, OR (better yet) just removed from lang/python3*, requiring the end-user to rely on devel/py= -pip and devel/py-setuptools packages explicitly. The latter option is how other *nix distributions (CentOS Linux, Debian Linux) have dealt with this potent= ial pitfall. More discussion about this can be found in PEP-453: https://peps.python.org/pep-0453/ . --=20 You are receiving this mail because: You are the assignee for the bug.=