Path: ...!news.mixmin.net!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: Left Right <olegsivokon@gmail.com>
Newsgroups: comp.lang.python
Subject: Re: Best Practice Virtual Environment
Date: Sun, 6 Oct 2024 13:42:18 +0200
Lines: 47
Message-ID: <mailman.6.1728411405.4695.python-list@python.org>
References: <20241005222733.fd60f7e672e849aa63c8b360@fam-goebel.de>
 <CAJQBtgm29Sb-ywa=ikxgVymHk5gT8pkqDyD3EcPoHXJhkv0i5Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: news.uni-berlin.de fip1YErR+ogRTvK9S48GTwr+aVoXQ5BAiKwaSPJIB2wA==
Cancel-Lock: sha1:yvwJWhMFI1QwKLQAaDtM8WNQ2UQ= sha256:9T2c5Z22ULsypO9Onb5qTJe6K0gAcT4uKYQlUzmy2hA=
Return-Path: <olegsivokon@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
 reason="2048-bit key; unprotected key"
 header.d=gmail.com header.i=@gmail.com header.b=MPggioyR;
 dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.073
X-Spam-Evidence: '*H*': 0.85; '*S*': 0.00; 'pip': 0.04; 'random':
 0.05; 'debian': 0.09; 'dev.': 0.09; 'environment,': 0.09;
 'environments': 0.09; 'linux': 0.09; 'mechanism': 0.09;
 'modules.': 0.09; 'perspective': 0.09; 'pypi,': 0.09; 'received
 :mail-qk1-x72b.google.com': 0.09; 'situations': 0.09;
 'impossible': 0.16; 'packages,': 0.16; 'packages.': 0.16; 'pip,':
 0.16; 'python3': 0.16; 'resolution': 0.16; 'slow': 0.16; 'tls':
 0.16; 'using.': 0.16; 'problem': 0.16; 'python': 0.16; 'figure':
 0.19; 'installing': 0.19; 'libraries': 0.19; 'to:addr:python-
 list': 0.20; "i've": 0.22; 'version': 0.23; 'install': 0.23;
 'installed': 0.23; 'run': 0.23; 'anything': 0.25; 'stuff': 0.25;
 'interface': 0.26; 'local': 0.27; 'coming': 0.27; 'wrong': 0.28;
 'environment': 0.29; 'whole': 0.30; 'packages': 0.31; "doesn't":
 0.32; 'downloads': 0.32; 'files,': 0.32; 'maintaining': 0.32;
 'right,': 0.32; 'message-id:@mail.gmail.com': 0.32; 'but': 0.32;
 "i'm": 0.33; 'distribute': 0.33; 'path': 0.33; 'someone': 0.34;
 'same': 0.34; 'package': 0.34; 'header:In-Reply-To:1': 0.34;
 'received:google.com': 0.34; 'yes,': 0.35; 'from:addr:gmail.com':
 0.35; 'also,': 0.36; 'necessarily': 0.37; 'using': 0.37; "it's":
 0.37; 'hard': 0.37; 'way': 0.38; 'put': 0.38; 'single': 0.39;
 'developers': 0.39; 'use': 0.39; 'to.': 0.39; 'still': 0.40;
 'consistent': 0.40; 'exact': 0.40; 'situation': 0.40; 'something':
 0.40; 'try': 0.40; 'should': 0.40; 'provide': 0.60; 'here.': 0.61;
 'seen': 0.62; 'here': 0.62; 'security': 0.64; 'full': 0.64;
 'malware': 0.64; 'your': 0.64; 'tool': 0.65; 'required': 0.65;
 'bad': 0.67; 'entire': 0.67; 'outside': 0.67; 'that,': 0.67;
 'per': 0.68; 'right': 0.68; 'during': 0.69; 'times': 0.69; 'site':
 0.70; 'production': 0.71; 'trust': 0.71; 'virtual': 0.71; 'audit':
 0.76; 'guarantee': 0.76; 'highly': 0.78; 'industry': 0.81;
 'actors': 0.84; 'extent.': 0.84; 'handled': 0.84; 'install.':
 0.84; 'legitimate': 0.84; 'os.': 0.84; 'signatures': 0.84;
 'subject:Virtual': 0.84; 'update,': 0.84; 'country': 0.88;
 'opposite': 0.91; 'plays': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1728214950; x=1728819750; darn=python.org;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=skLd0l4eIZJvbozPfd9NqtruWcVYnKruhVpauD/ylPU=;
 b=MPggioyR8NTBePi7lD78dStKh+Y5zQ3+B+3nBNfs/i0K8X6TRA8Ir9DdY5MjLZRk3m
 kSfCpUDi0n4FlKwF2sa9TItebb6ctOLrQK0bxeI446OPofRjMYZwhIqHCZZ7yI0kO5/Q
 23cqSAO1d/prDRcIbCWNWwZbGtY2BWs3eYqUVTnxCbvJXtDC5MZqx9m8is5gPHQeETJg
 gzPZfQXppnn+qtJxbnBzVXdM7bG6bNZLB610BCFsaMOVWMCUhX/g8ltDcYEO1f+gLK34
 jotMI2hm3eih7Gj7g84kcrRkQoevxSPV0h48dnW81nOx76VzQ9TE+FRy0SdgQkfUwAmz
 Jw3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728214950; x=1728819750;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=skLd0l4eIZJvbozPfd9NqtruWcVYnKruhVpauD/ylPU=;
 b=PXtoh3igFvKNCUF0a7SxKF5da4MyKgnt+qC1XURqlgkR5tRgulXH/usfYq1DS2pmNI
 EeW+WHhH+bHPbwjhBngNWT60s3lUoWeh5mn9KlS1VrsEDHv3voZntX1r6/qQ6Ek76fQZ
 fY08XEukVPMms6pAMtAwSRXO9YdSGSjGtb6lra+caVq45XJVwcHlN8JS1gBO4Lg2qknF
 DXU7xw9gMf3MLO5xeuvcAJiNmgeQ4jzIbWvBdxGKNQjlIot3ZvHzQn2f2vKeioyx90/J
 VerMUEWjzJYkLbxeXIoBq83ODduSUcS+Bt4pz6uHgrIBXe/JJVXVJGsy2ueocDZoJwGN
 sdhA==
X-Forwarded-Encrypted: i=1;
 AJvYcCV0nf3jrKnEm+fECT0Hq1sL8V9r6EXjnkLt5Phz15wes+eYXvXa1g7+c9U55ngrTKIhjlSEGmlM7i1b4w==@python.org
X-Gm-Message-State: AOJu0YyQPzK73subEYYpcsi8xundJv88qVZzApdCBFW408u1gIA3A+nM
 zhe+gqGqHV//DPFF33b/I1qoSj5GNDosfrjHP+TeNjsfCVmO5ZaFi/oD+iDUyH7oYnmKoWTJSOf
 U9/Yo5Wr6aaUaZzRxxec1OExg/+m3zg==
X-Google-Smtp-Source: AGHT+IHw3+nf/lZgz+biOOgu5/6IitqqEexglYNHIq18rdZ1xWV7ZzXSTkLsk7BVlX/+OgqU37fn89ThaFbDtvfzcrY=
X-Received: by 2002:a05:620a:1aa4:b0:79e:fcb8:815c with SMTP id
 af79cd13be357-7ae6f494607mr1263095185a.54.1728214949810; Sun, 06 Oct 2024
 04:42:29 -0700 (PDT)
In-Reply-To: <20241005222733.fd60f7e672e849aa63c8b360@fam-goebel.de>
X-Mailman-Approved-At: Tue, 08 Oct 2024 14:16:44 -0400
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
 <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
 <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
 <mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJQBtgm29Sb-ywa=ikxgVymHk5gT8pkqDyD3EcPoHXJhkv0i5Q@mail.gmail.com>
X-Mailman-Original-References: <20241005222733.fd60f7e672e849aa63c8b360@fam-goebel.de>
Bytes: 8950

Hi.  The advice here is from a perspective of someone who does this
professionally, for large, highly loaded systems.  This doesn't
necessarily apply to your case / not to the full extent.

> Debian (or even Python3 itself) doesn't allow to pip install required packages system wide, so I have to use virtual environments even there. But is it right, that I have to do that for every single user?

1. Yes, you can install packages system-wide with pip, but you don't need to.

2. pip is OK to install requirements once, to figure out what they are
(in dev. environment).  It's bad for production environment: it's
slow, inconsistent, and insecure. For more context: pip dependency
resolution is especially slow when installing local interdependent
packages. Sometimes it can take up to a minute per package.
Inconsistency comes from pip not using package checksums and
signatures (by default): so, if the package being installed was
updated w/o version update, to pip it's going to be the same package.
Not just that, for some packages pip has to resort to building them
from source, in which case nobody can guarantee the end result.
Insecurity comes from Python allowing out-of-index package downloads
during install.  You can distribute your package through PyPI, while
its dependency will point to a random Web site in a country with very
permissive laws (and, essentially, just put malware on your computer).
It's impossible to properly audit such situations because the outside
Web site doesn't have to provide any security guarantees.


To package anything Linux-related, use the packaging mechanism
provided by the flavor of Linux you are using.  In the case of Debian,
use DEB. Don't use virtual environments for this (it's possible to
roll the entire virtual environment into a DEB package, but that's a
bad idea). The reason to do this is so that your package plays nice
with other Python packages available as DEB packages. This will allow
your users to use a consistent interface when dealing with installing
packages, and to avoid situation when an out-of-bound tool installed
something in the same path where dpkg will try to install the same
files, but coming from a legitimate package.  If you package the whole
virtual environment, you might run into problems with locating native
libraries linked from Python native modules.  You will make it hard to
audit the installation, especially when it comes to certificates, TLS
etc. stuff that, preferably, should be handled in a centralized way by
the OS.

Of course, countless times I've seen developers do the exact opposite
of what I'm suggesting here. Also, the big actors in the industry s.a.
Microsoft and Amazon do the exact opposite of what I suggest. I have
no problem acknowledging this and still maintaining that they are
wrong and I'm right :) But, you don't have to trust me!