Hello Python packagers.
Our pip has a custom patch that warns if "pip install" is run as root (emit-a-warning-when-running-with-root-privileges.patch). That I think is a good idea to have, as many users will still find "sudo pip install" instructions on the Internet and they can potentially nuke their system.
What I realized today is that this warning is visible when we use pip during packaging of rpm packages (e.g. with %pyproject_install):
+ /usr/bin/python3 -m pip install --root /builddir/build/BUILDROOT/python-pytest-4.4.2-0.fc33.x86_64 --no-deps --disable-pip-version-check --progress-bar off --verbose --ignore-installed --no-warn-script-location --no-index --no-cache-dir --find-links pyproject-wheeldir pytest==4.4.2 WARNING: Running pip install with root privileges is generally not a good idea. Try `python3 -m pip install --user` instead. ...
It would be nice if we were able to suppress this warning.
There are several options to handle this I could brainstorm myself:
1) Add a custom --no-warn-root-privileges option and use it in our macros. This is a problem because we are introducing downstream only API. When others use this flag with upstream pip, it fails.
2) Hide the warning when $RPM_BUILD_ROOT is set. This sounds good for our macro invocations, however it would also hide the warning when using naïve "pip install foo" in spec. We might want to keep the warning in such cases.
3) Introduce an environment variable (e.g. PIP_NOWARN_ROOT) and set it from our macros. Like (1), this adds a new API, however with upstream pip, it "simply" does nothing.
4) Introduce our warning upstream, but make it opt-in only. Have --warn-root-privileges / --no-warn-root-privileges options. In Fedora, only patch the default value. (We could also propose our defaults upstream, but IIRC there were reservation when we tried to upstream this patch.) IMHO This might be the best approach, but arguably also the most complex one.
5) Hide the warning when --root is set. When using "sudo pip install" with custom --root, users are more likely to do it on purpose and it would remove the warning in all our macros without a need to touch them. IMHO This solution has the best effort/gain ratio.
What do you think?
On Tue, 2020-07-07 at 19:54 +0200, Miro Hrončok wrote: *snip*
What do you think?
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok
I am not really a Fedora packager but 5) seems the best option to me. Like you said, people setting --root are very likely doing it on purpose. There are also a few tools that might use --root, and I wouldn't want to add a fedora specific API in the upstream. This behavior could also be extended to --prefix.
Cheers, Filipe Laíns
On 2020-07-07 19:54, Miro Hrončok wrote:
- Add a custom --no-warn-root-privileges option
- Hide the warning when $RPM_BUILD_ROOT is set.
- Introduce an environment variable (e.g. PIP_NOWARN_ROOT)
- Introduce our warning upstream, but make it opt-in only.
- Hide the warning when --root is set.
What do you think?
I like option 5 as well. It's just a warning, not an error, because there are cases where you "know what you're doing", such as containers/VMs, where "sudo pip" may be appropriate. All uses of --root that come to my mind are such cases.
Users who follow tutorials without "knowing what they're doing" are very unlikely to use --root.
I was curious how hard it'd be to implement this and it turned out to be very simple so I've prepared a PR: https://src.fedoraproject.org/rpms/python-pip/pull-request/67
Lumír
On 7/9/20 1:48 PM, Petr Viktorin wrote:
On 2020-07-07 19:54, Miro Hrončok wrote:
- Add a custom --no-warn-root-privileges option
- Hide the warning when $RPM_BUILD_ROOT is set.
- Introduce an environment variable (e.g. PIP_NOWARN_ROOT)
- Introduce our warning upstream, but make it opt-in only.
- Hide the warning when --root is set.
What do you think?
I like option 5 as well. It's just a warning, not an error, because there are cases where you "know what you're doing", such as containers/VMs, where "sudo pip" may be appropriate. All uses of --root that come to my mind are such cases.
Users who follow tutorials without "knowing what they're doing" are very unlikely to use --root. _______________________________________________ python-devel mailing list -- python-devel@lists.fedoraproject.org To unsubscribe send an email to python-devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproje...
On 10. 07. 20 8:21, Lumir Balhar wrote:
I was curious how hard it'd be to implement this and it turned out to be very simple so I've prepared a PR: https://src.fedoraproject.org/rpms/python-pip/pull-request/67
Thank You, Lumír.
I've merged and built it.
python-devel@lists.fedoraproject.org