Bug 1650327
Summary: | pip can corrupt system packages | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Carl George <carl> |
Component: | python-pip | Assignee: | Python Maintainers <python-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | cstratak, cww, hhorak, jamills, jkejda, jwboyer, kwalker, mhroncok, pviktori, torsava |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-26 15:58:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1626408 | ||
Bug Blocks: | 1623566 |
Description
Carl George
2018-11-15 21:01:50 UTC
The change is in https://src.fedoraproject.org/rpms/python-pip/pull-request/16 I'm still unsure whether to apply it to Fedora 28 or not, as it changes pip's behavior and hence is not backwards compatible. As for RHEL8, I'm unsure whether I can disclose any plans or information, however rest assured that we are aware of the issue. Also note that `sudo pip install` translates to "download stuff from the Internet and run it on my machine, as root". We can be better at limiting the damage (and, with no promises, it might be one of the things to look into after Beta). But the baseline assumption here needs to be that `sudo pip` *will* break your system. It's not something Red Hat can fully support. Please use venv if you can. (See "Third-party packages" in https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/ ) I know that. I'm not requesting this for myself. I'm asking because in the real world people do this. It breaks systems and eventually ends up wasting the time of people that know better who get called on to fix it. If RHEL8 is going to include the "Making sudo pip safe" change, it might as well be the complete solution, not just a partial solution that leads people into a false sense of safety. Closing a public bug as a duplicate of a private bug is frustrating. Can I please be added as a CC on bug 1626408 so I can view it? Sorry for that! I've made bug 1626408 public instead. Thanks for making the other bug public Petr. I can confirm this is fixed in python3-pip-9.0.3-13.el8.noarch in ubi8. |