Path: ...!news.nobody.at!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: Left Right <olegsivokon@gmail.com>
Newsgroups: comp.lang.python
Subject: Re: Pip installs to unexpected place
Date: Thu, 17 Apr 2025 21:19:15 +0200
Lines: 21
Message-ID: <mailman.17.1744917569.3008.python-list@python.org>
References: <CAApdmf2J69WgkR159sBSkxN0=mYoNmHZYboBmpPi+LdA-YBNpg@mail.gmail.com>
 <CAN06=CxPNLHtr_sdgphR2jrN1V+WbB8wZDJdbvfEDb-MYtmPHA@mail.gmail.com>
 <bbe32f47-13d2-459c-af22-4e0e37834091@tompassin.net>
 <4ZcdYR5WnWznV1q@mail.python.org>
 <cc1c6cf5-f8b9-4528-b6b0-110499b88162@wichmann.us>
 <4Zd3YM00SYznVKQ@mail.python.org>
 <CAJQBtgmfgC5aQy_7RXwHDbsxaf1UWYY0=FNsgPPR2UzzuKfTTA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: news.uni-berlin.de 2TKGEXShlwhJK0di5+0MAAgMonhNO6r3GT7Nwvkb4QxQ==
Cancel-Lock: sha1:sLsKrslVhA5CehTNLrk3ONjUBpo= sha256:GKgXby7+XIhp7ZVWt7iAg4s5kYo+nm1+HweokRFEX08=
Return-Path: <olegsivokon@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
 reason="2048-bit key; unprotected key"
 header.d=gmail.com header.i=@gmail.com header.b=If0sDW8X;
 dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.069
X-Spam-Evidence: '*H*': 0.86; '*S*': 0.00; 'pip': 0.04; 'maintainers':
 0.07; 'cc:addr:python-list': 0.09; 'dependencies': 0.09;
 'general,': 0.09; 'pip.': 0.09; 'cc:no real name:2**0': 0.14;
 'ensures': 0.16; 'packages.': 0.16; 'reason.': 0.16; "aren't":
 0.19; 'installing': 0.19; 'cc:addr:python.org': 0.20; 'version':
 0.23; 'install': 0.23; 'installed': 0.23; 'run': 0.23; 'actual':
 0.25; 'stuff': 0.25; 'cc:2**0': 0.25; 'environment': 0.29;
 'code,': 0.31; 'packages': 0.31; 'before.': 0.31; 'default': 0.31;
 'message-id:@mail.gmail.com': 0.31; "doesn't": 0.32; 'but': 0.32;
 'there': 0.33; 'particular': 0.33; 'header:In-Reply-To:1': 0.34;
 'received:google.com': 0.34; 'package': 0.34;
 'from:addr:gmail.com': 0.34; 'track': 0.35; 'really': 0.36;
 'source': 0.36; "it's": 0.37; 'hard': 0.37; 'this,': 0.39;
 'break': 0.39; 'happen': 0.40; 'want': 0.40; 'including': 0.60;
 'between': 0.63; 'your': 0.64; 'top': 0.65; 'prevent': 0.67;
 'malicious': 0.69; 'trust': 0.71; 'formatting': 0.76;
 'subsequent': 0.76; 'damage': 0.80; 'bitcoin': 0.84; 'actors':
 0.84; 'disagree': 0.84; 'manager:': 0.84; 'system).': 0.84;
 'wheels': 0.84
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1744917566; x=1745522366; darn=python.org;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=Um4GMo9VtSyRVpOuMw1ygkRAmWtE5X8eydyZmFEOeqI=;
 b=If0sDW8XCPzG5FFTYHZPNeIPq+3UPuYBr907bgeINr/Dy+tK/mc59isyAjl4INom8K
 cxg/WOmGIXOqg/TRK6O4QDCziyLMrsQiJX2SpMwa8ZUvsSPJbzo58kPTz+xq+6i6eNha
 +sQYgDh0Yr8HzNrBDT7pxXtsVHdu8MNmGQ1jEoq75nu9mNEU8OhKY/8GrVJfLAUEyfbv
 jNyrVBd70YXwlYfQyQV4hR1wdq0Du4XaplgYJgBrPegoVfdsgbvLeZuYhL/SornNZnXD
 aEahEVF5fcOnwn6diviWW2XtPFdZO4m41ASSUDrlbDWXKkXq+6PPuuBjml7tovfqtti7
 ohIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1744917566; x=1745522366;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=Um4GMo9VtSyRVpOuMw1ygkRAmWtE5X8eydyZmFEOeqI=;
 b=sdEZELFxzjACqc2d9FATyw5tsq+H8oIQbNF7ZEWmN+Wr80jd44N6xKoecgehUQFLjA
 8iJmraeWms24lorziwrWUtRQCLoeTqtc8nqUnMvyklO/OXzWvOOwIW23EedoAspLQEl1
 itEn6ZCo1+72M4EQA2+bYr4cXSnQuHt0r2894wTtykbLPpEdAwzdbZowHUeDV92cV1ZC
 MIeoI7g+Y9RgpcU8KOEMGw9MBsks1HLfxmsg92c7TOEOMfknQjUPSeRIiiELf+x+/JGf
 tjqJwkBgrQjwErWFHpiCr3lGBPDFZvvzXgxunNe1nb/8vT6JK/qrg++VBOhAIHK6YSwD
 9BOQ==
X-Gm-Message-State: AOJu0YxeCvo8B/TI2xg1LWdN9PDiI7pBN2IiL8KWenIVO7/vSqzEMWIc
 ZFDeAext5m5GuQeOgx7YVEdP28/2NdQRr+em/p/0muT1dPS70H6elWNEQeIiqSJeYfeqE131/8q
 XJrzq/qHK+OvQ7Q4tbJn68p6dLvg=
X-Gm-Gg: ASbGncvbvIw8IyiDKckf0+acWd9395ZW9aVoIFzJXygVm3bkxuFVjjGrB7MYewCGF1C
 5ib2JadIH1l34CQRng0MiGFfUIHVrt8HzTwPBN0ZLfwJ2kru1TAZlWeK4SVZ5pWucijXNjD4XA3
 fJcAthtf3EcbSsX33F3QqQujk2NgEiAxEFhTMmMp1J293AJRyTZC2f
X-Google-Smtp-Source: AGHT+IETjilL0DCNdZu31+mFL64U4B/6sNLYWmQDZQXgmNWCRC19EU/L91ZKBCROMd/EBNSZunBnrzAG/zaAx4t1EiM=
X-Received: by 2002:a05:620a:3188:b0:7c5:61b2:b7c with SMTP id
 af79cd13be357-7c92805f62fmr7298085a.47.1744917566582; Thu, 17 Apr 2025
 12:19:26 -0700 (PDT)
In-Reply-To: <4Zd3YM00SYznVKQ@mail.python.org>
X-Gm-Features: ATxdqUELKQkKtzrzpbZAzwuX__1rWPGnlYEMgLDMflKnT5SXrB0XneWYygHUMVo
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
 <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
 <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
 <mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJQBtgmfgC5aQy_7RXwHDbsxaf1UWYY0=FNsgPPR2UzzuKfTTA@mail.gmail.com>
X-Mailman-Original-References: <CAApdmf2J69WgkR159sBSkxN0=mYoNmHZYboBmpPi+LdA-YBNpg@mail.gmail.com>
 <CAN06=CxPNLHtr_sdgphR2jrN1V+WbB8wZDJdbvfEDb-MYtmPHA@mail.gmail.com>
 <bbe32f47-13d2-459c-af22-4e0e37834091@tompassin.net>
 <4ZcdYR5WnWznV1q@mail.python.org>
 <cc1c6cf5-f8b9-4528-b6b0-110499b88162@wichmann.us>
 <4Zd3YM00SYznVKQ@mail.python.org>
Bytes: 6861

> Also... when installing stuff with pip --user, it is always a package
> that is not installed for the system (usually not even available for
> the system). How can that "break system packages"?

pip installs dependencies. Dependencies may disagree on the version
with the system packages.

This is a difference between eg. how conda works and pip. Conda is an
actual package manager: it ensures that all packages in a particular
environment agree on version requirements. pip will break your
environment in subsequent installs because it doesn't keep track of
what was installed before.

On top of this, pip may, in general, cause any amount of damage to
your system regardless of where or how you install it because by
default it's allowed to build wheels from source packages. The build
may run whatever code, including formatting hard drives, mining
bitcoin etc. The reason it doesn't happen very often is that package
maintainers kind of trust each other to be nice. There aren't really
any safeguards to prevent malicious actors from doing this, but you
would have to want to install their package for some reason.