> > I just saw this message and hurried myself up to test the patch to > > python-build-system that I made. Unfortunately, it turns out the > > "PYTHONNOUSERSITE=1" env var breaks pip which tries to install wheels to > > the system site directory and fails due to a read-only filesystem. > > I'm not sure I follow; why would PYTHONNOUSERSITE affect pip? I thought > it should only appear in wrappers of Python executables, not be set in a > profile's environment (thus not affecting pip) ?
Indeed. And once I make my change, PYTHONNOUSERSITE gets also placed in
the wrapper of the `pip` executable.
> Could you share the diff of the patch you tried so far?
I am attaching the patch file.
I was trying to test with
./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutils
python-pip
pip install xmldiff==2.4
echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py
xmldiff --help
Without my patch, we get an error on 4th line. With my patch, we get
the "Read-only file system" error on the 2nd line
Best,
Wojtek
-- (sig_start)
website: https://koszko.org/koszko.html
fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A
follow me on Fediverse: https://friendica.me/profile/koszko/profile
♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)
From 6c2cd9679d52ac4f06e91026948da5fae2c2a29c Mon Sep 17 00:00:00 2001 Message-Id: <6c2cd9679d52ac4f06e91026948da5fae2c2a29c.1688740423.git.kos...@koszko.org> From: Wojtek Kosior <[email protected]> Date: Mon, 3 Jul 2023 10:53:41 +0200 Subject: [PATCH] guix: build: python-build-system: Don't process user site dir * guix/build/python-build-system.scm (wrap): Define PYTHONNOUSERSITE for programs so they don't incorrectly pick up local, pip-installed libraries. --- guix/build/python-build-system.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-system.scm index aa04664b25..bbcb861da0 100644 --- a/guix/build/python-build-system.scm +++ b/guix/build/python-build-system.scm @@ -241,12 +241,16 @@ (define* (wrap #:key inputs outputs #:allow-other-keys) (define %sh (delay (search-input-file inputs "bin/bash"))) (define (sh) (force %sh)) - (let* ((var `("GUIX_PYTHONPATH" prefix - ,(search-path-as-string->list - (or (getenv "GUIX_PYTHONPATH") ""))))) + (let* ((var-pythonpath `("GUIX_PYTHONPATH" prefix + ,(search-path-as-string->list + (or (getenv "GUIX_PYTHONPATH") "")))) + ;; Harden applications by preventing Python from automatically + ;; picking up libraries in user site directory. + (var-usersite '("PYTHONNOUSERSITE" = ("1")))) (for-each (lambda (dir) (let ((files (list-of-files dir))) - (for-each (cut wrap-program <> #:sh (sh) var) + (for-each (cut wrap-program <> #:sh (sh) + var-pythonpath var-usersite) files))) bindirs))) base-commit: 08649cfcd41bc78ba4df0609798461816dda9496 -- 2.40.1
pgpuQuvhBu2UJ.pgp
Description: OpenPGP digital signature
