desktop-packages team mailing list archive

Thread
Date
[Bug 912625] Re: #!/usr/bin/env python breaks Python-based Ubuntu packages in the presence of virtualenvs, local installations

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: David Warde-Farley <912625@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Jan 2012 23:19:33 -0000
Reply-to: Bug 912625 <912625@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Marc: Fair enough. I guess the same kind of hijacking I mentioned could
be accomplished in a lot of ways, including setting PYTHONPATH, so it's
probably alright.

Scott: The Debian policy reads:

> Maintainers should not override the Debian Python interpreter using
/usr/bin/env

The word "should" is somewhat ambiguous in its level of severity, but I
would read that as a "strongly discouraged" even if not a hard and fast
"you must not do this". I would say there ought to be a really good
reason if a system-installed executable is figuring out which
interpreter to use at runtime.

> You shouldn't put a non-system python in your system's python path.

I assume you mean on your shell's PATH as the PYTHONPATH is something
different -- at any rate, this is an unworkable demand for just about
anyone who does anything resembling serious Python development. In
addition to virtualenv being a ubiquitous tool for deployment management
and environment isolation, several specialized Python distributions
exist (both commercial and FLOSS) such as Enthought Python Distribution,
ActivePython, FEMhub, Sage, etc. and isolate themselves from the system
Python (as they should).

Placing the bin directory of one of these distributions, or of a
virtualenv, on your shell's PATH (i.e. adding it to your PATH in
~/.bash_profile) should not cause random system-installed executable
scripts to start breaking, and I would very much consider it a bug in
the package that installed the executable if this does happen.

Furthermore, most of the Python scripts in /usr/bin on my machine follow
the "hard code which interpreter you want" convention, and as Barry
pointed out above, even the native Python packaging system, broken as it
is in many ways, performs this kind of munging. I would consider this a
strong case for not using #!/usr/bin/env python.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-applets in Ubuntu.
https://bugs.launchpad.net/bugs/912625

Title:
  #!/usr/bin/env python breaks Python-based Ubuntu packages in the
  presence of virtualenvs, local installations

Status in HP Linux Imaging and Printing:
  New
Status in “c2esp” package in Ubuntu:
  New
Status in “foo2zjs” package in Ubuntu:
  New
Status in “gconf2” package in Ubuntu:
  New
Status in “gnome-applets” package in Ubuntu:
  New
Status in “hplip” package in Ubuntu:
  Fix Released
Status in “mercurial” package in Ubuntu:
  New
Status in “pidgin” package in Ubuntu:
  New
Status in “pitivi” package in Ubuntu:
  New
Status in “pyppd” package in Ubuntu:
  New
Status in “mercurial” package in Debian:
  Unknown

Bug description:
  Currently (as of 11.04, and I suspect in 11.10), several packages I've
  discovered will potentially break if you have a non-system Python
  executable on your PATH, e.g. using virtualenv or a custom-built
  Python. As per the Debian Python Policy (I can't find a similarly
  thorough document for Ubuntu),

  > The preferred specification for the Python interpreter is
  /usr/bin/python or /usr/bin/pythonX.Y. This ensures that a Debian
  installation of python is used and all dependencies on additional
  python modules are met.

  > Maintainers should not override the Debian Python interpreter using
  /usr/bin/env python or /usr/bin/env pythonX.Y. This is not advisable
  as it bypasses Debian's dependency checking and makes the package
  vulnerable to incomplete local installations of python.

  I think this is reasonable, and also supported by the majority of the
  Python scripts in my /usr/bin directory.

  This also has potential security implications, i.e. someone with only
  user-level access could override the system Python in a user's
  ~/.bash_profile and install a malicious version of certain package
  dependencies.

  dwf@barricade:~$ lsb_release -rd
  Description:	Ubuntu 11.04
  Release:	11.04
  dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1|xargs dpkg -S
  gconf2: /usr/bin/gsettings-schema-convert
  mercurial-common: /usr/bin/hg-ssh
  hplip: /usr/bin/hp-align
  hplip: /usr/bin/hp-check
  hplip: /usr/bin/hp-clean
  hplip: /usr/bin/hp-colorcal
  hplip: /usr/bin/hp-firmware
  hplip: /usr/bin/hp-hpdio
  hplip: /usr/bin/hp-info
  hplip: /usr/bin/hp-levels
  hplip: /usr/bin/hp-makeuri
  hplip: /usr/bin/hp-pkservice
  hplip: /usr/bin/hp-plugin
  hplip: /usr/bin/hp-probe
  hplip: /usr/bin/hp-query
  hplip: /usr/bin/hp-scan
  hplip: /usr/bin/hp-setup
  hplip: /usr/bin/hp-testpage
  hplip: /usr/bin/hp-timedate
  hplip: /usr/bin/hp-unload
  gnome-applets: /usr/bin/invest-chart
  pitivi: /usr/bin/pitivi
  libpurple-bin: /usr/bin/purple-remote
  libpurple-bin: /usr/bin/purple-url-handler
  hplip: /usr/sbin/hpssd

  dwf@barricade:~$ grep '#!/usr/bin/env python' /usr/bin/* /usr/sbin/* |cut -d ':' -f 1 |xargs dpkg -S |cut -d':' -f 1|xargs apt-cache policy
  gconf2:
    Installed: 2.32.2-0ubuntu2
    Candidate: 2.32.2-0ubuntu2
    Version table:
   *** 2.32.2-0ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  hplip:
    Installed: 3.11.1-2ubuntu2
    Candidate: 3.11.1-2ubuntu2
    Version table:
   *** 3.11.1-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  gnome-applets:
    Installed: 2.32.1.1-0ubuntu5
    Candidate: 2.32.1.1-0ubuntu5
    Version table:
   *** 2.32.1.1-0ubuntu5 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  libpurple-bin:
    Installed: 1:2.7.11-1ubuntu2.1
    Candidate: 1:2.7.11-1ubuntu2.1
    Version table:
   *** 1:2.7.11-1ubuntu2.1 0
          500 http://security.ubuntu.com/ubuntu/ natty-security/main i386 Packages
          100 /var/lib/dpkg/status
       1:2.7.11-1ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
  pitivi:
    Installed: 0.13.5-1ubuntu4
    Candidate: 0.13.5-1ubuntu4
    Version table:
   *** 0.13.5-1ubuntu4 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
          100 /var/lib/dpkg/status
  mercurial-common:
    Installed: 1.7.5-1ubuntu1
    Candidate: 1.7.5-1ubuntu1
    Version table:
   *** 1.7.5-1ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/912625/+subscriptions