Bug 2014513

Summary: Fedora 35: pip-upgraded pip installs packages to /usr/lib(64)/python3.10/site-packages/
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: python3.10Assignee: Miro Hrončok <mhroncok>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: cstratak, lbalhar, mhroncok, python-maint, python-sig, thrnciar, torsava, vstinner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python3.10-3.10.1-2.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-29 01:29:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miro Hrončok 2021-10-15 12:56:48 UTC 
Since pip 21.3, users who upgrade pip via pip will have a pip that installs packages to /usr/lib(64)/python3.10/site-packages/ instead of /usr/local/lib(64)/python3.10/site-packages/.

-----------------------------

Since Fedora 27, pip installs packages to /usr/local/lib(64)/python3.10/site-packages/ by default:

https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe

This also happens when users install/upgrade pip via pip, because our patch lives in the Python standard library and not pip.


However, pip 21.3+ uses sysconfig on Python 3.10+ instead of previously used distutils and hence users who upgrade pip to 21.3 or greater on Fedora 35 will have a pip that is no longer safe.


pip-installed pip 21.2.3:

[root@dde39f841e21 /]# pip install pello
Collecting pello
  Using cached Pello-1.0.2-py3-none-any.whl (6.0 kB)
Installing collected packages: pello
Successfully installed pello-1.0.2

[root@dde39f841e21 /]# pip uninstall pello
Found existing installation: Pello 1.0.2
Uninstalling Pello-1.0.2:
  Would remove:
    /usr/local/bin/pello_greeting
    /usr/local/lib/python3.10/site-packages/Pello-1.0.2.dist-info/*
    /usr/local/lib/python3.10/site-packages/pello/*
Proceed (Y/n)?


pip-installed pip 21.3:

[root@dde39f841e21 /]# pip install pello
Collecting pello
  Downloading Pello-1.0.2-py3-none-any.whl (6.0 kB)
Installing collected packages: pello
Successfully installed pello-1.0.2

[root@dde39f841e21 /]# pip uninstall pello
Found existing installation: Pello 1.0.2
Uninstalling Pello-1.0.2:
  Would remove:
    /usr/bin/pello_greeting
    /usr/lib/python3.10/site-packages/Pello-1.0.2.dist-info/*
    /usr/lib/python3.10/site-packages/pello/*
Proceed (Y/n)?



Note that especially users who pip-upgrade their pip are likely to brick their systems by running more sudo pip installs.




This is not a big problem on Fedora 33/34, because it only affects Python 3.10+ and system tools run on 3.9 there.

This is not an issue on Fedora 36 at all, because we have switched the patch to syscofnig: https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproject.org/thread/AAGUFQZ4RZDU7KUN4HA43KQJCMSFR3GW/


We could do that on Feodra 35 as well, but it is not very backward compatible, so we should figure out a better solution.
Comment 1 Miro Hrončok 2021-11-09 15:18:41 UTC 
Cross-posting my attempt to allow us to tell pip to use distutils: https://github.com/pypa/pip/issues/10647
Comment 2 Tomas Orsava 2021-12-07 10:39:46 UTC 
Fedora WIP PRs:
https://src.fedoraproject.org/rpms/python3.10/pull-request/83
https://src.fedoraproject.org/rpms/python3.10/pull-request/85
Comment 3 Miro Hrončok 2021-12-13 14:16:59 UTC 
The https://src.fedoraproject.org/rpms/python3.10/pull-request/85 PR is no longer WIP.
The https://src.fedoraproject.org/rpms/python3.10/pull-request/83 PR was closed and is included in #85.
Comment 4 Fedora Update System 2021-12-20 21:52:33 UTC 
FEDORA-2021-f9dded110a has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-f9dded110a
Comment 5 Fedora Update System 2021-12-21 01:18:55 UTC 
FEDORA-2021-f9dded110a has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-f9dded110a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f9dded110a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-12-29 01:29:08 UTC 
FEDORA-2021-f9dded110a has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.