← Back to context

Comment by raincole

7 hours ago

> instead of checking for what's already installed

Plenty of software come with their own Python runtime. Even Blender uses its own Python runtime. I can name so many apps with embedded Python runtime: Blender, Houdini, Bitwig, Substance Painter, Krita, etc. Checking for what's already installed isn't the norm. In Krita's case, it uses installed Python to build it... and in the building process it builds another Python runtime for its own!

This app should have probably bundled the runtime instead of downloading a new one though.

> install its own vendored dependencies

> lead to both security and performance issues

npm install and pip -r theoretically have the same kind of security issue. How many projects on github run this kind of command during build process? My guess is in the order of millions.

4 comments

raincole

Reply
throw_await  5 hours ago

All reasonable Linux distro will patch these stupid things to usw the system interpreter.

  • raincole  5 hours ago

    It's not how it works. You can just install whichever linux distro of your favorite, download blender or krita, and see it uses its own python by default yourself.

    And thankfully it's not how it works. If it were it'd break plugin ecosystems of many apps completely.

    • ajsnigrutin  5 hours ago

      gentoo (a lot of lines removed):

        $ strace blender-4.4 
  ..
  openat(AT_FDCWD, "/usr/lib64/libpython3.13.so.1.0", O_RDONLY|O_CLOEXEC) = 3
  ...
  openat(AT_FDCWD, "/usr/lib/python3.13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 12
  ...

      No issues with plugins

  • Gormo  5 hours ago

    And even if the build scripts are downloading deps, having the application itself install dependencies to the user's home directory at runtime is unheard of.