[issue16499] CLI option for isolated mode
R. David Murray added the comment: For the record (since it took me a while to figure it out), the changeset that this was committed in is dd0d751cc7f1. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Roundup Robot added the comment: New changeset 06c39789061e by Christian Heimes in branch 'default': typo, changeset dd0d751cc7f1 belongs to issue #16499 not issue #16400 http://hg.python.org/cpython/rev/06c39789061e -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Christian Heimes li...@cheimes.de: -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: Nick, you have deferred PEP 432 [1]. Do you mind if I check in the isolate mode for 3.4 and help you with PEP 432 for 3.5? [1] http://www.python.org/dev/peps/pep-0432/#pep-deferral -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Nick Coghlan added the comment: Yep, sounds good to me (don't wait for PEP 432 is what I meant to imply above, but I wasn't very clear about it) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Nick Coghlan added the comment: I've come around to the idea of having this available as an option in the default interpreter. A separate binary could then just make it the default behaviour (leaning on PEP 432 to do so), which is more shebang line friendly and allows Linux distros to better distinguish between default behaviour of Python when running user scripts and default behaviour of Python when running system applications in a way that simple symlinks can't. However, whether or not to provide such a binary (and whether or not to rewrite shebang lines in system packages to use it) would become our problem rather than an upstream problem. So +1 from me for a -I isolated mode, and I'll adjust PEP 432 as necessary to cope. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Barry A. Warsaw added the comment: On Jul 02, 2013, at 02:12 AM, Nick Coghlan wrote: So +1 from me for a -I isolated mode, and I'll adjust PEP 432 as necessary to cope. PEP 394 is probably related to any such additional binary. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Barry A. Warsaw added the comment: It applies cleanly, builds without noticeable problems and does what it's advertised to do. In other words, looks great to me! I say go for it. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
STINNER Victor added the comment: python -I and spython sound like two ways to get the same results. I would prefer to only have one way. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Barry A. Warsaw added the comment: On Jun 20, 2013, at 02:26 PM, STINNER Victor wrote: python -I and spython sound like two ways to get the same results. I would prefer to only have one way. Where does spython come from? Personally, I'd much rather this be an option on the existing python executable (i.e. `python -I`) than some other command. That makes it easier to discover and promote. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: We don't have spython yet. Py_IsolatedFlag is also required if we ever going to have spython, too. We can always remove the command line flag before Python 3.4 hits beta. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: It comes from Nick and http://www.python.org/dev/peps/pep-0432/ . Once PEP 432 is in place we can easily create variants of Python binaries with special flags. I'm in favor with python -I, too. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Nick Coghlan added the comment: CPython's startup sequence and collection of global flags are organically evolved madness, so I think adding even more complexity to them is a bad idea. When you're in a hole, the first thing to do is *stop digging*. I could use help laying the foundations for PEP 432 though - getting the separate Programs directory split out, breaking up the monstrosity that is pythonrun.c, etc. Implementing that basic refactoring in default will make it more feasible to keep the PEP branch up to date without major conflicts. On 21 Jun 2013 00:40, Christian Heimes rep...@bugs.python.org wrote: Christian Heimes added the comment: It comes from Nick and http://www.python.org/dev/peps/pep-0432/ . Once PEP 432 is in place we can easily create variants of Python binaries with special flags. I'm in favor with python -I, too. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: I'm catching up on some old patches. What shall I do about this patch? Does anybody want to review or intervene it? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by yaccz yac@gmail.com: -- nosy: +yaccz ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by STINNER Victor victor.stin...@gmail.com: -- nosy: +haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: -serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Nick Coghlan added the comment: The system Python idea in PEP 432 is aimed at providing an alternate interpreter binary which changes the default behaviour to be appropriate for system utilities, while allowing such features to be enabled selectively. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Andrew Svetlov andrew.svet...@gmail.com: -- nosy: +asvetlov ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Martin Dengler mar...@martindengler.com: -- nosy: +mdengler ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Nick Coghlan ncogh...@gmail.com: -- nosy: +ncoghlan ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: How shall I handle venv? I'm reluctant to disable venv in site.py although it allows a user to modify sys.path. However it's only an issue under two circumstances: (1) The user either needs write permissions to the parent directory of the python executable. (2) The script doesn't hard code the path to the interpreter in its shebang. Point 1 allows the user to mess with the system in more serious ways. The second point can be avoided with a correctly written shebang line. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Antoine Pitrou added the comment: How shall I handle venv? I'm reluctant to disable venv in site.py although it allows a user to modify sys.path. However it's only an issue under two circumstances: (1) The user either needs write permissions to the parent directory of the python executable. (2) The script doesn't hard code the path to the interpreter in its shebang. Point 1 allows the user to mess with the system in more serious ways. The second point can be avoided with a correctly written shebang line. I agree that venv shouldn't be a problem. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Marc-Andre Lemburg added the comment: On 18.11.2012 15:30, Christian Heimes wrote: Christian Heimes added the comment: The first patch implements the arg parsing, sys.flags, PySys_SetArgv() modification that doesn't include the current directory as sys.path[0] and some doc updates. Open issue: - MAL has addressed concerns that '-I' is too similar to GCC's -I (include path) option - Is 'isolated mode' a good term to describe the feature? IMO 'restricted mode' is also a good name but it sounds too similar to PyPy's restricted python. Some other possible names: - unmodified mode (-U) - encapsulated mode (-e) - installation only mode (-I) - non-local mode (-l) Since this mode will often be used for testing Python installation and setup issues, perhaps emphasizing on the testing nature would be good... - test installation mode (-T) FWIW: Isolated and -I works for me as well. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Nov 19 2012) Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Christian Heimes li...@cheimes.de: Removed file: http://bugs.python.org/file28024/isolatemode.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Christian Heimes li...@cheimes.de: Removed file: http://bugs.python.org/file28036/isolatemode2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: New patch with typo fixes and update for recent modification in the make_flags() function. Marc: The patch was motivated by use cases like Barry's issue with 3rd party software that accidentally messes with Python scripts like lsb_release. Your use case (testing) is valid but not the main focus here. Unmodified mode doesn't fit the bill either, Python can still import system wide packages or modifications from a venv. Apropos venv, I need to check how the option is affected by venv. -- Added file: http://bugs.python.org/file28043/isolatemode3.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
New submission from Christian Heimes: I like to propose a new option for the Python interpreter: python -I It shall start the interpreter in isolated mode which ignores any environment variables set by the user and any files installed by the user. The mode segregate a Python program from anything an unpriviliged user is able to modify and uses only files that are installed by a system adminstrator. The isolated mode implies -E (ignore all PYTHON* environment vars) and -s (don't add user site directory). It also refrains from the inclusion of '' or getcwd() to sys.path. TKinter doesn't load and execute Python scripts from the user's home directory. Other parts of the stdlib should be checked, too. The option is intended for OS and application scripts that doesn't want to become affected by user installed files or files in the current working path of a user. The idea is motivated by a couple of bug reports, for example: https://bugs.launchpad.net/bugs/938869 lsb_release crashed with SIGABRT in Py_FatalError() http://bugs.python.org/issue16202 sys.path[0] security issues http://bugs.python.org/issue16248 Security bug in tkinter allows for untrusted, arbitrary code execution. --- The idea has been discussed at http://mail.python.org/pipermail/python-ideas/2012-November/017766.html. -- assignee: christian.heimes messages: 175874 nosy: barry, christian.heimes, lemburg priority: normal severity: normal stage: patch review status: open title: CLI option for isolated mode type: security versions: Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: The first patch implements the arg parsing, sys.flags, PySys_SetArgv() modification that doesn't include the current directory as sys.path[0] and some doc updates. Open issue: - MAL has addressed concerns that '-I' is too similar to GCC's -I (include path) option - Is 'isolated mode' a good term to describe the feature? IMO 'restricted mode' is also a good name but it sounds too similar to PyPy's restricted python. -- keywords: +patch Added file: http://bugs.python.org/file28024/isolatemode.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Christian Heimes li...@cheimes.de: -- components: +Interpreter Core keywords: +needs review ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Changes by Éric Araujo mer...@netwok.org: -- nosy: +eric.araujo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Brett Cannon added the comment: I don't think we need to worry about overlapping with gcc; -B, -b, -c, -d, etc. are all used by gcc for some reason or another. -- nosy: +brett.cannon ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Antoine Pitrou added the comment: +1 from me. -I and isolated sound fine to me. The patch needs to add some tests. Also the docs need some versionadded / versionchanged markers. -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Barry A. Warsaw added the comment: On Nov 18, 2012, at 05:16 PM, Antoine Pitrou wrote: Antoine Pitrou added the comment: +1 from me. -I and isolated sound fine to me. I haven't reviewed the patch yet, but based on the email discussions, I'm also +1 for the concept, option name, and terminology. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Christian Heimes added the comment: Here is a new patch with some tests. -- Added file: http://bugs.python.org/file28036/isolatemode2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16499] CLI option for isolated mode
Serhiy Storchaka added the comment: -I looks as antonym to -i. This is good. See also related issue12238 and issue10496. Hint: if you refers to issue as issueXXX, you can see an issue title when hover mouse over link. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16499 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com