Package: python3-pip Version: 18.1-5 Severity: important Dear Maintainer,
I spent a bit of time discovering the nature of this problem today. I have come to rely on the --root option with "pip install" (or equivalent python invocation) being a generally satisfactory way of installing packages into an alternate filesystem root, this having been tested on Red Hat's distribution offerings. When attempting to use the --root option on Debian, instead of getting a hierarchy like this... root/usr/local/... ...I get something like this: root/home/me/.local/... For example: pip3 install --root XXX biopython This produces... XXX/home/me/.local/lib/python3.7/site-packages/ At first, I thought that pip had changed its behaviour, as it often seems to, with advice strewn across the Internet rapidly becoming obsolete. But it turns out that the set_user_default.patch is actually responsible. Obviously, there is a workaround for the behaviour introduced by this patch: specifying --system or, perhaps, --no-user. But the former option is not understood by other distributions or vanilla pip, so it is non-standard and will break scripts. I guess that --no-user is meant to resolve this, although the online documentation for recent pip versions doesn't seem to mention it, and since the patch changes the behaviour of --no-user, I start to doubt if I could rely on that, either. Clearly, when specifying an installation root explicitly, the user is not likely to be looking to reproduce their "local" package hierarchy: they want to produce a genuine filesystem hierarchy, perhaps for populating chroots or virtual machines, as the option is meant to. This patch breaks this expected behaviour. One could argue that the logic featured in the patch, testing for a virtualenv or for root, is sufficient to detect whether someone is actually populating a genuine filesystem hierarchy and that one might use fakeroot as an unprivileged user to trigger the appropriate condition. While this might suit some users, there is really no reason why an arbitrary user could not populate usr/local in any given filesystem. Obstructing this makes the patch a vehicle for some rather prescriptive policy, and it also obstructs other applications that do not involve some form of virtualisation where the invoking user will be the owner of the files that are created. Please consider correcting the patch to make --root behave in a way that is consistent with other distributions and the upstream software. Working with Python packaging software is frustrating enough with the constant churn, parade of tools, and often baroque (but flawed) solutions. Having distributions (and hosting providers, on occasion) introduce additional, unexpected complications makes the use of these tools even more stressful and unpleasant. I am sorry if this report causes anyone any inconvenience or is generally not regarded as being helpful. Paul -- System Information: Debian Release: 10.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.5.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-pip depends on: ii ca-certificates 20200601~deb10u2 ii python-pip-whl 18.1-5 ii python3 3.7.3-1 ii python3-distutils 3.7.3-1 Versions of packages python3-pip recommends: ii build-essential 12.6 ii python3-dev 3.7.3-1 ii python3-setuptools 40.8.0-1 ii python3-wheel 0.32.3-2 python3-pip suggests no packages. -- no debconf information

