Comment # 1 on bug 1228165 from Daniel Garcia

(In reply to Matej Cepl from comment #0)
> One possible improvement would be to change our default hashbang to include
> `-s` parameter to calling our Python interpreters, so that modules in
> `$HOME` are not considered.
> 

Yes, I think we should add this to our python-rpm-macros so this will prevent
possible issues in the future. But I'm not sure if forcing this everywhere
could break some user cases, I'm thinking about python plugins installed as
user with pip, but it's a very specific user case, so we should try and maybe
provide a way to do not do that.

And about this, I think that it's a good idea to do not implement in containers
(for now), because developers are used to create containers just with the
interpreter and install everything with pip and this change will break the
typical user case for containers.

Even when it's recommended to use virtualenvs, with containers it looks like a
double sandboxing, and a lot of people won't use there, so the safer option is
to do not do this in containers, at least until it's more spread across all the
providers so everyone is used to it.

Having the externally-managed by default isn't a big issue technically, because
anyone can bypass using the "--break-system-packages" or removing the
"/usr/lib64/python3.11/EXTERNALLY-MANAGED" file manually. But I can understand
people fearing to use this option because it says that you will certainly break
your system and know it, so it's like to say that I won't ask for support if
something is wrong, even if it's exactly the same in the filesystem, the social
implication of this is big enough to consider not deliver in containers until
it's clear for everyone.

As as side note, the current "default" python container [1] in dockerhub is
based on Debian that has the externally managed file, but in this case, the
python interpreter is installed isolated from the system one, in /usr/local, so
in this case it's possible to use pip without any warning.

[1] https://hub.docker.com/_/python/