desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #63105
[Bug 912625] Re: #!/usr/bin/env python breaks Python-based Ubuntu packages in the presence of virtualenvs, local installations
/usr/bin/env is a perfectly good solution for *development* branches of
packages, but very definitely not for deployed production versions of
applications, for exactly the reasons described in this bug report.
Meaning: if you are developing a Python application, by all means use
/usr/bin/env in your own code, since this will make it easier to test
against a variety of Python versions. But packaging should always
install the application using the explicit path to the appropriate
Python executable. I'm pretty sure distribute and setuptools do this
munging automatically.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-applets in Ubuntu.
https://bugs.launchpad.net/bugs/912625
Title:
#!/usr/bin/env python breaks Python-based Ubuntu packages in the
presence of virtualenvs, local installations
Status in HP Linux Imaging and Printing:
New
Status in “c2esp” package in Ubuntu:
New
Status in “foo2zjs” package in Ubuntu:
New
Status in “gconf2” package in Ubuntu:
New
Status in “gnome-applets” package in Ubuntu:
New
Status in “hplip” package in Ubuntu:
Fix Released
Status in “mercurial” package in Ubuntu:
New
Status in “pidgin” package in Ubuntu:
New
Status in “pitivi” package in Ubuntu:
New
Status in “pyppd” package in Ubuntu:
New
Bug description:
Currently (as of 11.04, and I suspect in 11.10), several packages I've
discovered will potentially break if you have a non-system Python
executable on your PATH, e.g. using virtualenv or a custom-built
Python. As per the Debian Python Policy (I can't find a similarly
thorough document for Ubuntu),
> The preferred specification for the Python interpreter is
/usr/bin/python or /usr/bin/pythonX.Y. This ensures that a Debian
installation of python is used and all dependencies on additional
python modules are met.
> Maintainers should not override the Debian Python interpreter using
/usr/bin/env python or /usr/bin/env pythonX.Y. This is not advisable
as it bypasses Debian's dependency checking and makes the package
vulnerable to incomplete local installations of python.
I think this is reasonable, and also supported by the majority of the
Python scripts in my /usr/bin directory.
This also has potential security implications, i.e. someone with only
user-level access could override the system Python in a user's
~/.bash_profile and install a malicious version of certain package
dependencies.
dwf@barricade:~$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1|xargs dpkg -S
gconf2: /usr/bin/gsettings-schema-convert
mercurial-common: /usr/bin/hg-ssh
hplip: /usr/bin/hp-align
hplip: /usr/bin/hp-check
hplip: /usr/bin/hp-clean
hplip: /usr/bin/hp-colorcal
hplip: /usr/bin/hp-firmware
hplip: /usr/bin/hp-hpdio
hplip: /usr/bin/hp-info
hplip: /usr/bin/hp-levels
hplip: /usr/bin/hp-makeuri
hplip: /usr/bin/hp-pkservice
hplip: /usr/bin/hp-plugin
hplip: /usr/bin/hp-probe
hplip: /usr/bin/hp-query
hplip: /usr/bin/hp-scan
hplip: /usr/bin/hp-setup
hplip: /usr/bin/hp-testpage
hplip: /usr/bin/hp-timedate
hplip: /usr/bin/hp-unload
gnome-applets: /usr/bin/invest-chart
pitivi: /usr/bin/pitivi
libpurple-bin: /usr/bin/purple-remote
libpurple-bin: /usr/bin/purple-url-handler
hplip: /usr/sbin/hpssd
dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1 |xargs dpkg -S |cut -d':' -f 1|xargs apt-cache policy
gconf2:
Installed: 2.32.2-0ubuntu2
Candidate: 2.32.2-0ubuntu2
Version table:
*** 2.32.2-0ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
100 /var/lib/dpkg/status
hplip:
Installed: 3.11.1-2ubuntu2
Candidate: 3.11.1-2ubuntu2
Version table:
*** 3.11.1-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
100 /var/lib/dpkg/status
gnome-applets:
Installed: 2.32.1.1-0ubuntu5
Candidate: 2.32.1.1-0ubuntu5
Version table:
*** 2.32.1.1-0ubuntu5 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
100 /var/lib/dpkg/status
libpurple-bin:
Installed: 1:2.7.11-1ubuntu2.1
Candidate: 1:2.7.11-1ubuntu2.1
Version table:
*** 1:2.7.11-1ubuntu2.1 0
500 http://security.ubuntu.com/ubuntu/ natty-security/main i386 Packages
100 /var/lib/dpkg/status
1:2.7.11-1ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
pitivi:
Installed: 0.13.5-1ubuntu4
Candidate: 0.13.5-1ubuntu4
Version table:
*** 0.13.5-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
100 /var/lib/dpkg/status
mercurial-common:
Installed: 1.7.5-1ubuntu1
Candidate: 1.7.5-1ubuntu1
Version table:
*** 1.7.5-1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/912625/+subscriptions