Recent disruptive changes from Setuptools

It's... a lot more complicated than this, unfortunately. First, to clarify a few things about your description:

Pip originally was happy to "put files" in *certain* OS-owned directories. Specifically, it will put them within any *Python environment*. If you tell it to install for the system environment, and give it sudo rights, it would obediently write files to (typically) `/usr/lib/pythonX.Y/site-packages`. Without sudo, it could still write to a user-specific directory; if you run the system Python as a regular user, Python can still `import` from there.

Eventually, distros realized that not only do those system-level installs cause obvious problems for the system package manager, but even a user-level install can cause problems for scripts that come with the system. This is especially problematic when you have a package manager (or interface thereto) *written in Python* that still does useful things when run without sudo. Hence https://peps.python.org/pep-0668/ (I think that's the "upstreamed patch" you have in mind).

Notably, though, this change was *entirely orthogonal* to the transition to the new PEP 517 system.

Separately, the wheel format can *only* put files *into the current Python environment* - as defined by the `sysconfig` standard library module. (By "current" I mean the one that pip is running under.) It can't ordinarily put them in /etc - or ~/.config , even though that isn't system-owned.

However, pip *can* effectively put files in those places (assuming filesystem permissions) if it installs from an sdist and builds from source - because that will request the build backend to do whatever is necessary to make a wheel, including running arbitrary Python code from the package. In the case of Setuptools, it's effectively equivalent to `setup.py install`. (At least the last I checked, pip run with sudo *will not drop permissions* when it invokes the build backend!) But this is not playing nice with either the Python ecosystem *or* with the Linux distro's package management.

----

But the comment is talking about something completely different. It's not about end users causing problems for the distro maintainer by using pip to install a third-party package. It's about the distro maintainer *trying to use* pip to *create a system* package.

They might try to do this by installing the code into a staging folder with pip, then using another tool to pack that tree into .deb or .rpm or whatever. As described above, theoretically the pip/Setuptools combination could be wrangled to write files to /path/to/staging/etc or whatever is needed, even while the Python environment is nominally rooted at /path/to/staging/usr. But it appears that this doesn't work with explicitly provided Setuptools features - you'd have to leverage the fact that you can write arbitrary code in `setup.py`, and do your own file I/O etc. And that code might not play nice with *other* packaging flows....

(Also, pip doesn't really know how to install cross-environment. It figures out installation paths based on the Python executable that's being used to run it. Newer versions have a `--python` argument to try to fix this - but it works by tracking down the other Python executable and *spawning it to re-run the pip code*.)

There's a lot of software that used `setup.py` as an entrypoint and relied on it being able to install to arbitrary locations on disk, often using it only because the software was written in Python and they felt it was natural that the build system also be in Python, despite it not needing to be.

It would also often (as the article covers) handle the testsuite but other administrative tasks, as well as "more elaborate" installation.

> The reason setup.py was able to do this is that it was just an ordinary Python script ...

Precisely.

> Is there a path forward where your setup.py script does not use setuptools (which is a Python-packaging-specific tool) but uses generic Python functionality like open("/lib/...", "w")?

Sure, that can be done - but if the software is installed via a wheel, that's not going to work, because there's no way to map extra data file locations in the wheel to real locations on the system. And none of the authors of these pieces of software relying on this functionality working ever seem to be aware of the problem.

i.e. All of it is solvable, it's just that it's a lot of work across a lot of different projects, and I don't think many of them are aware of the need to even do it. The software relying on this generally doesn't want to be installed as a wheel (it's usually "written in Python, not a library that should be imported"), they've just been piggybacking on setuptools and the setup.py entrypoint for years.

Because Python's support for "keep[ing] them in separate directories" is called a venv.

> but the warning from pip3 not to do it is pretty stern

Yes, and rightly so.

It's not magic. It's one flag.

sudo pip install --break-system-packages [...]

The problem is, now your system package manager doesn't know that you went behind its back and installed random things into /usr with a third-party tool. At best, this causes some confusion about which files are managed by the system and which are "managed" by you manually running pip. At worst, it actually does cause some system packages to break, because they were tested against version X of libfoo and you installed version Y. Pip is entirely right to tell you not to do it - it can and will break your system in unpredictable ways, hence why it is called --**break**-system-packages and not e.g. --global-install or some innocuous-sounding thing.

Pip used to work in the exact manner you describe (silently overwriting system-wide packages if invoked with appropriate privileges). It was changed because too many users were accidentally breaking their systems (as discussed at the time in https://peps.python.org/pep-0668/#motivation). So now, it will only break your system if you ask it to do so, which IMHO is a win.

Also, I know that you do have an OS package manager to break, because you would not be getting that error message if you didn't. Pip looks for a file named EXTERNALLY-MANAGED in the package directory, and that file is not distributed with upstream Python, so it can only exist if your distro put it there to indicate that pip should not touch it. In other words: Your problem is between you and your distro, and pip is just the messenger.

Here are some alternatives that are less terrible:

* pip install --user [...], which installs into a subdirectory of $HOME.
* Make a venv. A venv is not heavy or difficult to work with, although Debian users need to install python3-venv. It's literally just a directory with a copy of (or symlink to) the Python binary, plus some scripting gunk to tell Python and pip to use that directory as the installation root (instead of some directory or combination of directories under /usr/lib).
* Use your OS package manager to install the desired OS packages instead. Pip doesn't support doing this automatically, presumably because it does not want to build out integrations with APT and RPM and Pacman and... etc., as well as converting the PyPI name of a package into the name used by the OS repository. Don't ask me how Perl figured that one out, I'm not a Perl person.
* Configure Python so that it has a separate package directory under /usr/local where you can do whatever you want, without breaking the OS package manager, and then pip will not complain about system-wide installations. See https://docs.python.org/3/library/site.html and https://packaging.python.org/en/latest/specifications/ext... for how this works internally.

Python doesn't do any of the installation. The entire packaging system, and package ecosystem, is kept at arm's length from core language development.

Installers like pip can and do install packages from PyPI separately from Python packages provided by a Linux distro. Not only that, but it has separate system-level and user-level installations. The system package manager will use (typically) /usr/lib/pythonX.Y/dist-packages . When installing for the system Python, pip will use /usr/lib/pythonX.Y/site-packages when run with sudo, and ~/.local/lib/pythonX.Y/site-packages otherwise.

The reason your distro now insists on using virtual environments is because *this folder arrangement is still problematic*. What happens is that a user-installed module shadows a system-provided one that a system script is trying to use. The ~/.local packages are only visible when running that system script as the user, but *this still causes enough problems* that distros decided "just don't give sudo rights to pip" isn't enough protection.

I genuinely don't understand why "easily installing *system-wide* packages" is such a priority. But you *can* do this with venvs (with sudo of course) - for example: make a venv somewhere within /opt and install there - and if it's an "application" with a driver script, maybe even symlink it from /usr/local/bin. In fact, newer versions of pipx (https://pipx.pypa.io/stable/) wrap this exact process for applications (using a shared vendored copy of pip). I have more about this in a personal blog article here: https://zahlman.github.io/posts/2025/01/07/python-packagi...

It may help to think of the virtual environment as effectively a separate installation of Python - because it's close to that, just with symlinks to the "base" Python executable and special access to the standard library, instead of copying it all. If you get annoyed with remembering to "activate" a virtual environment, keep in mind that this actually does very little. Generally you can get by with just giving the path to the virtual environment's `python` symlink.

I work with much more perl than python too, primarily on RHEL-style machines, and I don't run CPAN as root to install system wide files, I make RPMs. perl doesn't need a python-wheel style package format because the RPM integration with the perl/CPAN ecosystem is _excellent_ and by working directly with the system-wide package database including dependency management, you don't end up with two different ecosystems with a partial dependency graph fighting each other and breaking stuff, you just use the normal RPM mechanisms for detecting and resolving conflicts. From what I can tell the provided rpmmacros to pass Makefile.PL/Build.PL cli options are comprehensive and the provided scripts reliably collect the inbound and outbound runtime dependencies using simple regex matching for /^(use|require) (.+)/ and /^package "(.+)"/ with more specific builddeps templated in by `cpanspec`. It helps a lot that there is a standard naming convention mapping perl packages to RPM package and library dependency names, eg. perl lib `Foo::Bar` is rpm `perl-Foo-Bar` and provides `perl(Foo::Bar)`. python setuptools can create an RPM but it doesn't populate it with any of the data pip uses to resolve dependencies AFAICT and the RPM build macros/scripts don't seem to have any way to parse import statements to make that list either, or an agreed upon way to map between the two systems, if there are better tools which can give RPM the same info that pip/uv have I haven't found them yet.

I don't know enough about either ecosystems native packaging metadata formats to comprehensively compare and contrast them, I don't use them I just build my in-house perl using RPM and let the built-in rpmbuild scripts handle it, but I have found building python packages for system-wide install to be more complicated, and I never found a tool as good as `cpanspec` or even `rpmbuild-newspec -t perl` such that I've pretty much given up on it and just package an entire venv as an RPM that other scripts can depend on, rather than making individual RPMs for each part of the dependency tree (for NAPALM). I don't know if it's because python and pypi is operating at a much larger scale than cpan, so you see problems more often, or if the culture around backwards compatibility is very different, but with perl I've rarely or never had an app with an incompatible shared dependency with some other system-wide installed utility, or even libraries with breaking changes over the last 10-15 years, in fact some of the code in the darkest depths of the application appears to be written in a perl4 style and still works fine, but I've definitely had to be very careful with python because it's been far more common for some library in the dependency tree to bump a new major version that is incompatible and break the app at runtime, even when building a virtualenv I sometimes have to mask library versions until other parts catch up. I've also had the case where (re)installing a python app in a venv with a version that is more than 6mo old becomes difficult unless you froze a list of exactly what versions of the entire venv library set were available at the time the app was initially released, because it's basically guaranteed that something will have made an incompatible change in that time and the app won't run until you figure out which libraries you need to pin their versions back, which is very tedious if you run an app for longer than a 6-week sprint cadence. Maybe my old perl code is just depending on stagnant unmaintained libraries, stable because they are old and unchanging, but most of what we use is in RHEL or EPEL so must still be in active use by common shipping software, and we still haven't had nearly the problems as with python, but I can't make a definitive statement as to the true reasons why.

I wouldn't mind a deeper dive comparing CPAN to PyPI and NPM to see what problems each solved differently and why, CPAN is the OG maybe they learned something about how to do library management at scale, or maybe there are language support differences which means that the same solution in one ecosystem can't be translated to the other for technical reasons, or maybe there are longstanding policy differences that preclude some family of technical solutions to these problems. I dunno and can definitely stand to learn more about it.

One of their own dependencies broke due to the change:

> In fact, this change was already known to be incompatible with the popular Requests library [...]
> The 78.0.1 patch simply removed Requests from the Setuptools integration tests

Big break-the-world changes are bad, because they cost a lot of time at once to fix and a lot of money at once to fix.

For me it is easy to make small deprecation removal changes together with the required feature development. I don't have to ask for additional time or money. It can be done during the normal development process and nobody complains.

But it is *much* harder to get time and money for doing the one big major-version-bump transition that broke the world.
For lots of projects that's basically impossible to do.

I still maintain Python 2 scripts and they will never be replaced with Python 3. Ever.
Python 2 code is even still being actively developed, because the whole ecosystem of the project is stuck at a Python 2 interpreter. And that also will not change for these projects. Ever.
Python 2 will have to die no earlier than the projects that still use it.

Please don't do this mistake with anything ever again.

I spent countless hours debugging issues caused by an error handler somewhere that did not have a correct encode/decode for one of the arguments. It was painful.

distutils specifically would just not have cut it. By the time it was removed from the standard library it was considered an unmaintainable mess that nobody really knew what to do with.

It would have been nice for Setuptools to be able to extract a "core" build system that is restricted to the part that actually implements PEP 517 (discussed in other comment threads), which could then be used separately from the part that enables workflows on the developer's machine. Flit and Hatch work this way (using flit-core and Hatchling respectively). However, a "Setuptools-core" would have to have been restricted to only handling projects that can configure everything in `setup.cfg` (and `pyproject.toml`) since `setup.py` is the same file used for implementing, for example, arbitrary new sub-commands for command-line developer use, or for setting up tests in arbitrary Python code (subsequently run with `setup.py test`).

1. People _building_ things are not supposed to be "no-clue-bies", Unfortunately https://lwn.net/Articles/1022219/, but even then people running "pip install ..." are supposed to be somewhat computer-literate.

2. Countless times, I was the very first one to stop some old build warning in a project with a _very experienced_ team. Why? Because NO ONE looks at build logs unless the build fails. And even when it fails, people try to read as little as they can. Only what they need to fix the build and carry on. So, for the sake of the 0.0001% developers who do look at build warnings, do NOT hide build warnings - ever. Of course this does not means: "spam with the build logs with a ton of garbage". But a "warning" should by definition not be garbage.

Darn.

I think these build warnings should still be shown. In fact, pip should not even try to hide the difference between building something and not building anything; why would it do that? User interface always matters but "pip install" is not something "consumers" are expected to use, it's not an iPhone that should pretend that everything is fine when some glitch happens.

Also, it's incredibly hard to deprecate anything. A very reasonable amount of "spamming" end-users can only help.

Googling error messages and warnings is the most useful ever, everyone does it all the time. Don't prevent that.

Just stop hiding stuff already. Ignoring logs is easy, everyone does it ALL THE TIME. Digging out useful warnings buried in obscure log files with unknown names or behind obscure --debug-whatever option is the most time-consuming and horrific user experience ever.

> You may also be interested in https://github.com/pypa/pip/issues/9140 .

I'm not interested because I wrote "dear Lazyweb" :-D
Also, Python packaging looks like something where you can too easily lose... mental health points. A bit disappointed for a scripted language but what do I know (not much).

OK, I read the description of 9140 and I think I agree with it. I upvoted it.

> Because being too static and unmoving is not a good characteristic in python.

Is the stdlib far harder to change than an external package? You also get the possibility of using newer {venv,pip,setuptools} with older Python releases (or older versions with newer Python in the case of regressions[1]).

The main advantage of this setup is that it allows pip to be developed by a separate team, *with a separate release cadence*, which also automatically backports the new features to all the currently-supported Python versions (all the pip team has to do is test on those versions and be conservative about using new Python features).

The downside is that this model encourages copying pip into each virtual environment separately, and considerable know-how is required to manage a single copy of pip and empower it to install cross-environment (even though it *should* be easy and even though there's really nothing about being written in Python that actually causes a problem for this). There's also generally low awareness that pip (since version 22.3) *can* install cross-environment (although it uses a pretty brutal hack for this internally).

As for Setuptools, my understanding is that PEP 517 (and to a lesser extent 518 and 621) was *explicitly* designed to solicit alternative build backends. And there was really never a good way and a good moment to extract "just a" build backend from the project.