← Back to team overview

desktop-packages team mailing list archive

[Bug 912625] Re: #!/usr/bin/env python breaks Python-based Ubuntu packages in the presence of virtualenvs, local installations

 

/usr/bin/env is a perfectly good solution for *development* branches of
packages, but very definitely not for deployed production versions of
applications, for exactly the reasons described in this bug report.
Meaning: if you are developing a Python application, by all means use
/usr/bin/env in your own code, since this will make it easier to test
against a variety of Python versions.  But packaging should always
install the application using the explicit path to the appropriate
Python executable.  I'm pretty sure distribute and setuptools do this
munging automatically.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-applets in Ubuntu.
https://bugs.launchpad.net/bugs/912625

Title:
  #!/usr/bin/env python breaks Python-based Ubuntu packages in the
  presence of virtualenvs, local installations

Status in HP Linux Imaging and Printing:
  New
Status in “c2esp” package in Ubuntu:
  New
Status in “foo2zjs” package in Ubuntu:
  New
Status in “gconf2” package in Ubuntu:
  New
Status in “gnome-applets” package in Ubuntu:
  New
Status in “hplip” package in Ubuntu:
  Fix Released
Status in “mercurial” package in Ubuntu:
  New
Status in “pidgin” package in Ubuntu:
  New
Status in “pitivi” package in Ubuntu:
  New
Status in “pyppd” package in Ubuntu:
  New

Bug description:
  Currently (as of 11.04, and I suspect in 11.10), several packages I've
  discovered will potentially break if you have a non-system Python
  executable on your PATH, e.g. using virtualenv or a custom-built
  Python. As per the Debian Python Policy (I can't find a similarly
  thorough document for Ubuntu),

  > The preferred specification for the Python interpreter is
  /usr/bin/python or /usr/bin/pythonX.Y. This ensures that a Debian
  installation of python is used and all dependencies on additional
  python modules are met.

  > Maintainers should not override the Debian Python interpreter using
  /usr/bin/env python or /usr/bin/env pythonX.Y. This is not advisable
  as it bypasses Debian's dependency checking and makes the package
  vulnerable to incomplete local installations of python.

  I think this is reasonable, and also supported by the majority of the
  Python scripts in my /usr/bin directory.

  This also has potential security implications, i.e. someone with only
  user-level access could override the system Python in a user's
  ~/.bash_profile and install a malicious version of certain package
  dependencies.

  dwf@barricade:~$ lsb_release -rd
  Description:	Ubuntu 11.04
  Release:	11.04
  dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1|xargs dpkg -S
  gconf2: /usr/bin/gsettings-schema-convert
  mercurial-common: /usr/bin/hg-ssh
  hplip: /usr/bin/hp-align
  hplip: /usr/bin/hp-check
  hplip: /usr/bin/hp-clean
  hplip: /usr/bin/hp-colorcal
  hplip: /usr/bin/hp-firmware
  hplip: /usr/bin/hp-hpdio
  hplip: /usr/bin/hp-info
  hplip: /usr/bin/hp-levels
  hplip: /usr/bin/hp-makeuri
  hplip: /usr/bin/hp-pkservice
  hplip: /usr/bin/hp-plugin
  hplip: /usr/bin/hp-probe
  hplip: /usr/bin/hp-query
  hplip: /usr/bin/hp-scan
  hplip: /usr/bin/hp-setup
  hplip: /usr/bin/hp-testpage
  hplip: /usr/bin/hp-timedate
  hplip: /usr/bin/hp-unload
  gnome-applets: /usr/bin/invest-chart
  pitivi: /usr/bin/pitivi
  libpurple-bin: /usr/bin/purple-remote
  libpurple-bin: /usr/bin/purple-url-handler
  hplip: /usr/sbin/hpssd

  dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1 |xargs dpkg -S |cut -d':' -f 1|xargs apt-cache policy
  gconf2:
    Installed: 2.32.2-0ubuntu2
    Candidate: 2.32.2-0ubuntu2
    Version table:
   *** 2.32.2-0ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  hplip:
    Installed: 3.11.1-2ubuntu2
    Candidate: 3.11.1-2ubuntu2
    Version table:
   *** 3.11.1-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  gnome-applets:
    Installed: 2.32.1.1-0ubuntu5
    Candidate: 2.32.1.1-0ubuntu5
    Version table:
   *** 2.32.1.1-0ubuntu5 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  libpurple-bin:
    Installed: 1:2.7.11-1ubuntu2.1
    Candidate: 1:2.7.11-1ubuntu2.1
    Version table:
   *** 1:2.7.11-1ubuntu2.1 0
          500 http://security.ubuntu.com/ubuntu/ natty-security/main i386 Packages
          100 /var/lib/dpkg/status
       1:2.7.11-1ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
  pitivi:
    Installed: 0.13.5-1ubuntu4
    Candidate: 0.13.5-1ubuntu4
    Version table:
   *** 0.13.5-1ubuntu4 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  mercurial-common:
    Installed: 1.7.5-1ubuntu1
    Candidate: 1.7.5-1ubuntu1
    Version table:
   *** 1.7.5-1ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/912625/+subscriptions