Wandering Thoughts archives


A cheatsheet for Python's pip for how I use it

To save me having to look up or try to remember the various pip arguments and usage the next time I need to do something like update the pyls Python LSP server, here is a cheatsheet for how I use pip.

First, I always use pip with a 'user' install (the --user argument), which installs things in $HOME/.local. On my machines, pip puts binaries in .local/bin and installed Python packages in .local/lib/pythonX.Y; some might appear in .local/libexec if they had compiled portions, but I'm not sure. This is also where running a setup.py with --user puts things, which is unsurprising (I install Django test versions this way).

To install something, the basic usage is 'pip install --user <package>'. Once packages are installed, I can check for what packages have updates available with 'pip list --user --outdated'. To update a package, it's 'pip install --user --upgrade <package>'. I'm not sure what happens if you leave out the --upgrade.

(Plain 'pip list --user' lists what you have installed and leaves out checking for updates.)

Now that I've looked it up, removing a package is done with 'pip uninstall <package>'. There is 'pip check' to see if all your dependencies are fine, but this has potentially confusing output because it has no '--user' argument and so apparently checks both your packages and the system installed packages; on Ubuntu, the system packages may not have dependencies that 'pip check' is happy with. Similarly, 'pip uninstall' has no --user argument and will happily try to remove system packages instead of your own packages. Also, I don't think removing packages warns you about breaking dependencies.

Really there isn't much to my pip usage and I probably don't normally need a cheatsheet. But sometimes I don't deal with this level of Python stuff for long enough that it starts dropping out of my memory.

(So far, my only use of pip is to keep python-language-server up to date, and I don't necessarily remember to check and update it on a regular basis.)

python/PipCheatsheetForMe written at 21:11:41; Add Comment

Security questions and warnings are effectively confirmation requests

Every so often, well intentioned people throw up security questions and warning messages and so on in an attempt to help people, as in the recent case of the new warning on many extensions on addons.mozilla.org. These don't work in practice, as I've written about before (for example, that asking users questions never increases security). However there is an important reason for this beyond things like users not knowing enough to make the right choice, which I want to mention explicitly and clearly for once.

To put it simply:

Security questions and warnings are a form of requesting confirmation, and people almost always say yes to that in general.

When Firefox throws up a 'this addon requests these permissions, do you agree' dialog when you install an addon, what it really asking in practice is 'do you want to install this addon?' Of course most people are going to say yes. Installing the addon is what they set out to do, so yes of course they want to do it, can you please stop asking all the time.

The one time requesting confirmation can work is when the person actually did something different from what they intended to. They wanted to delete file A, but now you're warning them that they're also deleting files B, C, and D. If they're deleting file A and you only ask them 'are you sure you want to delete file A', they're going to be annoyed with your interruption (which is why systems have mostly moved away from this sort of interface).

(Also, if you ask people these questions all the time, question fatigue sets in and people develop the reflex of saying yes without reading the questions.)

But most security questions and warnings are not telling you that you've done something different than you wanted to do. Instead they're of the 'do you really want to delete file A, are you sure' form, and so people automatically say yes, just as they automatically say yes to all of the other confirmation popups and so on that they deal with. Do you want to install this addon that asks for these permissions? Yes, that's why I I clicked on '+ Add to Firefox' button.

PS: The application of this to rewording various browser TLS warnings is left as an exercise to the reader, although such rewording would probably be somewhat controversial because it might wind up having to say things that aren't always true, like 'you have connected to something other than website <X> because the TLS certificate says this is <Y> and <Z>'.

tech/SecurityQuestionsAsConfirmation written at 00:05:35; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.