On 20 September 2016 at 13:58, Random832 <random...@fastmail.com> wrote:
> On Tue, Sep 20, 2016, at 07:12, אלעזר wrote:
>> Moreover, being able to do it programmatically is a security risk,
>> since it requires elevated privileges that I don't know how to drop,
>> and most people will not think about doing, but a library
>> implementation will.
> Maybe we should be thinking about why pip requires elevated privileges.

I'm not sure to what extent this was a rhetorical question, but
basically because, by default pip installs into the Python
installation directory, and if the user is running a system Python,
that directory is only modifiable by an admin.

You can use --user to make pip install into the user's site-packages.
But that's not the default, and the proposal didn't discuss supplying
any non-default options to pip. Pip could be changed to make the
default --user, but that's not happened yet (and there are some
compatibility issues holding it up). And even ignoring that, what
about *other* pip options that might be needed (for example,
specifying a proxy, or a non-default certificate store)? There's no
capability to specify them in the proposal.

Python-ideas mailing list
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to