disallow installing or building /

[graingert]

What's the problem this feature will solve?

I used pip install --use-pep517 file:/// and it instantly consumed the last of my disk space making my computer unusable without a reboot and carefully removing the tmp directory

Describe the solution you'd like

Prevent installing / or any other source tree containing its build destination

Alternative Solutions

Like I could just not try to do silly things like pip install /

Additional context

NA

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[pfmoore]

This is fixed by --use-feature=in-tree-build which will be the default in the next pip release. The issue is because we (currently) create a copy of the source directory when building.

Solution: don't do that until pip 21.3 is released 😉

[pfmoore]

(No "Resolution: already fixed using Guido's time machine" label)

[pradyunsg]

I believe that @sbidoul has, indeed, returned the keys to the time machine.

[graingert]

I think it's still a problem with the --use-feature=in-tree-build eg stuff getting copied into the .whl although it won't be as instantly deleterious. I'll check it when I get to a machine I can try it with

[pfmoore]

At this point we're getting to the "don't pass a source tree that you haven't checked and validated to pip" situation. After all, I could just as easily write a valid setup.py that copied the whole of your hard disk into the wheel (or for that matter, to my website!)

I honestly don't feel that this line of discussion is very productive, so I'm going to drop it here.

[pradyunsg]

Closing this:

• The copying behaviour is fixed, ALA Solving issues related to out-of-tree builds #7555.
• The "setuptools will package the world" thing is what we're discussing this in With --use-pep517, file:/// and tar.gz sdists support setup.cfg only source trees, but implicit file paths do not #10531 already. Let's keep that discussion over there.