From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id ALRGGfQkqGRA5wAASxT56A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 07 Jul 2023 16:45:08 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id yLc5GfQkqGRf2gAA9RJhRA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 07 Jul 2023 16:45:08 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 233EB1DD84
	for <larch@yhetil.org>; Fri,  7 Jul 2023 16:45:08 +0200 (CEST)
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=koszko.org header.s=mail header.b=PCPMzRQK;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1688741108;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=KHSR2ciOoPzj4aywHlkojU28QHbG7Vh4GojQSmyFIuw=;
	b=f0AlkblComnTdmxnL3512xiEmlmJPTgAxNKwETQolceoZ/k8azqHn+Io7/j3s5QREC/LaA
	QMrvI0qHSh98mnuIC6a3brq5nAEh8UW1IBEcvc28SQ4ehe4NTAZKJsEDuc3CWQGxkVuv4b
	CiaUPK5qEj41q2EbKEl/iZNhjYQ/MU6SWa0v1hvzdmyWmgoft/v0nNPIaG+bu7+WWbZKEW
	/ZXpBo+ss+/0MIBi3yRJvx0zcC5aKmc0czTSfSAf+StY8zsuJr0mJDwy9hepS+hK4XgwnI
	znJ+0qXGmxpPBI6j9LJZsBZ+AMF1MaOdqadosPT92tk1a7gL/qCNiEbV5VV7lQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=koszko.org header.s=mail header.b=PCPMzRQK;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1688741108; a=rsa-sha256; cv=none;
	b=ojZ8UTA+norOWNUTH2I+NkTmKkCpFhgMkEO5Ld0Q49qS0H6aB9N1ryMn7WH05awVGHu64n
	nhNqSPItFbd36X7AiCMyoaSu13Tvylfp5VrOlaVw24kOTesnUIDLdW9CVRUu2wUDaw+Dgz
	dMxiG3JlDLQ8crbtM0FsZvlPHtLbUF9nIZ26JTlpjabqLYFyD/2uLoCdmA3IKCKM+i1E1d
	gUe4f0ur0UU7uyeePy+6E27qM6kDegeRJV0iUyiOhTbx2nVQO6Fs4JUpP7ky5FWLoZ4o2V
	1leAwDc+EbOkTUeRBOtzLpWzXsrUEfmiIZrZi7o6cD8N098k/5yHp1veMUlb6A==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1qHmhC-0001Kv-Ok; Fri, 07 Jul 2023 10:44:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <koszko@koszko.org>) id 1qHmhB-0001Km-Oe
 for guix-devel@gnu.org; Fri, 07 Jul 2023 10:44:29 -0400
Received: from koszko.org ([93.95.227.159])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <koszko@koszko.org>) id 1qHmh9-000609-8f
 for guix-devel@gnu.org; Fri, 07 Jul 2023 10:44:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; 
 s=mail;
 h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:
 Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=KHSR2ciOoPzj4aywHlkojU28QHbG7Vh4GojQSmyFIuw=; b=PCPMzRQKPt3lBbNqjA+Wb7rwLR
 +K7b19NhOd+i8MCMpMiU2aPvcrAdwztHR5fYuUQS9vNu7Hb26K1kzt4uj4/JVV2L4cE5liEfUi7MM
 hZhqfqty5ypnTFmmbJEz1QnCFRdPgQUiTnJJn3stVU9U1M3QtpogaiyuqdqdWm9g9HdXCMedq3+XW
 57aen+1LToBO9bRL2i7AOQ/o5unyXDCF+PXvbnro1IAiD6lWOGbBJ4P3wnDe5GjnDD1TmWp8zQHQd
 b6L0IoKrZ6zXgZM/WNfHr/06tTg9oDFDV0L8+yhswgFAPRW5TzsvZVBrTJpW3pqp2fNxAividRNqr
 v8zpuWKWvW8coH7y5Div9SnaQ8A3treD5iXB0KiR64x1Vn7g6TmNQ7vikP8rrMYyFADkl1GX8KAMD
 gGuf/dt5dt/I5f5CcunMHkzJD1gzb8ehyqGcytVY83z38TB83xbb/LFNk97UPG+3qXdQMfg1riYMS
 f2WH0rUCknXiAg3HK4GsbZvFMASwUm2tTZRMGsyTC/iil5pqWqo0xM89ivtj4M/FiauPOMrvrb4lx
 5ugBIfs0QkVggm9xcKy9m2UcgPG0i/Je29Szwm2aGTXbAGTL99kEfprSYYn428jJDNndjCmfTSpeq
 nsjtd91/MgRjJHeA5MgP6bC7HtHPGYloz3rI3O+vA=;
Received: from 77-252-46-118.static.ip.netia.com.pl ([77.252.46.118]
 helo=localhost)
 by koszko.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <koszko@koszko.org>)
 id 1qHmgp-00040S-E1; Fri, 07 Jul 2023 16:44:07 +0200
Date: Fri, 7 Jul 2023 16:44:05 +0200
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: John Kehayias <john.kehayias@protonmail.com>, =?UTF-8?B?5a6L5paH5q2m?=
 <iyzsong@envs.net>, edk@beaver-labs.com, guix-devel@gnu.org
Subject: Re: Guix's python has pip's user dir in its loadpath
Message-ID: <20230707164405.0ce9dc4e.koszko@koszko.org>
In-Reply-To: <87bkgnzw20.fsf@gmail.com>
References: <87edmey1wg.fsf@rdklein.fr> <877crma7qe.fsf@envs.net>
 <87edls1fyk.fsf@gmail.com>
 <20230701133257.6ada1e94.koszko@koszko.org>
 <871qhr1v6y.fsf@gmail.com> <87cz16kspd.fsf@protonmail.com>
 <87o7kpyrws.fsf@gmail.com>
 <20230706232835.343c6cfe.koszko@koszko.org>
 <87bkgnzw20.fsf@gmail.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="Sig_/NpcFNKmqSnL9kcT0_xNclPy";
 protocol="application/pgp-signature"; micalg=pgp-sha256
Received-SPF: pass client-ip=93.95.227.159; envelope-from=koszko@koszko.org;
 helo=koszko.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Reply-to:  Wojtek Kosior <koszko@koszko.org>
From:  Wojtek Kosior via "Development of GNU Guix and the GNU System distribution."
 <guix-devel@gnu.org>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Scanner: scn0.migadu.com
X-Migadu-Spam-Score: -3.67
X-Spam-Score: -3.67
X-Migadu-Queue-Id: 233EB1DD84
X-TUID: ZdmJn9QcBX0N

--Sig_/NpcFNKmqSnL9kcT0_xNclPy
Content-Type: multipart/mixed; boundary="MP_/WygjUZcdxE8q2BQ_95OvXrZ"

--MP_/WygjUZcdxE8q2BQ_95OvXrZ
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

> > I just saw this message and hurried myself up to test the patch to
> > python-build-system that I made. Unfortunately, it turns out the
> > "PYTHONNOUSERSITE=3D1" env var breaks pip which tries to install wheels=
 to
> > the system site directory and fails due to a read-only filesystem. =20
>=20
> I'm not sure I follow; why would PYTHONNOUSERSITE affect pip?  I thought
> it should only appear in wrappers of Python executables, not be set in a
> profile's environment (thus not affecting pip) ?

Indeed. And once I make my change, PYTHONNOUSERSITE gets also placed in
the wrapper of the `pip` executable.

> Could you share the diff of the patch you tried so far?

I am attaching the patch file.

I was trying to test with

    ./pre-inst-env guix shell -C --network --no-cwd python-xmldiff coreutil=
s python-pip
    pip install xmldiff=3D=3D2.4
    echo > ~/.local/lib/python3.10/site-packages/xmldiff/main.py
    xmldiff --help

Without my patch, we get an error on 4th line. With my patch, we get
the "Read-only file system" error on the 2nd line

Best,
Wojtek

-- (sig_start)
website: https://koszko.org/koszko.html
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A
follow me on Fediverse: https://friendica.me/profile/koszko/profile

=E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyYXR=
lZCBtZSBmcm9tIEhpbQ=3D=3D
=E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbWUg=
SGlzIGZyaWVuZD8=3D
-- (sig_end)

--MP_/WygjUZcdxE8q2BQ_95OvXrZ
Content-Type: text/x-patch
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename=0001-guix-build-python-build-system-Don-t-process-user-si.patch

=46rom 6c2cd9679d52ac4f06e91026948da5fae2c2a29c Mon Sep 17 00:00:00 2001
Message-Id: <6c2cd9679d52ac4f06e91026948da5fae2c2a29c.1688740423.git.koszko=
@koszko.org>
From: Wojtek Kosior <koszko@koszko.org>
Date: Mon, 3 Jul 2023 10:53:41 +0200
Subject: [PATCH] guix: build: python-build-system: Don't process user site =
dir

* guix/build/python-build-system.scm (wrap): Define PYTHONNOUSERSITE for
programs so they don't incorrectly pick up local, pip-installed libraries.
---
 guix/build/python-build-system.scm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-s=
ystem.scm
index aa04664b25..bbcb861da0 100644
--- a/guix/build/python-build-system.scm
+++ b/guix/build/python-build-system.scm
@@ -241,12 +241,16 @@ (define* (wrap #:key inputs outputs #:allow-other-key=
s)
   (define %sh (delay (search-input-file inputs "bin/bash")))
   (define (sh) (force %sh))
=20
-  (let* ((var `("GUIX_PYTHONPATH" prefix
-                ,(search-path-as-string->list
-                  (or (getenv "GUIX_PYTHONPATH") "")))))
+  (let* ((var-pythonpath `("GUIX_PYTHONPATH" prefix
+                           ,(search-path-as-string->list
+                             (or (getenv "GUIX_PYTHONPATH") ""))))
+         ;; Harden applications by preventing Python from automatically
+         ;; picking up libraries in user site directory.
+         (var-usersite '("PYTHONNOUSERSITE" =3D ("1"))))
     (for-each (lambda (dir)
                 (let ((files (list-of-files dir)))
-                  (for-each (cut wrap-program <> #:sh (sh) var)
+                  (for-each (cut wrap-program <> #:sh (sh)
+                                 var-pythonpath var-usersite)
                             files)))
               bindirs)))
=20

base-commit: 08649cfcd41bc78ba4df0609798461816dda9496
--=20
2.40.1


--MP_/WygjUZcdxE8q2BQ_95OvXrZ--

--Sig_/NpcFNKmqSnL9kcT0_xNclPy
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZKgktQAKCRBLxSIcWnn9
GtLNAQD9enlFS48puErn83IKyEzm0dUz7Df1oYbKb2h0tp67WgEA+lWxtKmoNfSa
qxj0mJVzl3x3zvcUlkXJuqee1RClRQQ=
=t5UI
-----END PGP SIGNATURE-----

--Sig_/NpcFNKmqSnL9kcT0_xNclPy--