The SC has discussed and is pleased to accept PEP 829 - Package Startup Configuration Files!
The SC is comfortable with the three-year deprecation window as proposed. However, we request the following revisions to the text before the PEP lands:
- The current abstract buries the lede a bit. The first paragraph should highlight what is materially changing:
<name>.startfiles withpkg.mod:callablesyntax, a three-year.pthimport-line deprecation, and retained path-extension.pth. - The security implications should be more specific. The PEP narrows one specific vector: supply-chain attacks via
exec()of.pthimport lines. The changes do not materially alter the broader threat model. We recommend explicitly acknowledging that the overall “malicious installed package runs code at startup" threat is unchanged. The concrete win is that the code a package intends to run becomes inspectable as a declarative entry point rather than an opaque string passed toexec().
The SC views PEP 829 as a sensible improvement to the interpreter layer, compatible with and not precluding future work in the installer and packaging standards space. We encourage contributors interested in that broader direction to consider proposing complementary standards. Accepting PEP 829 is not a statement that the interpreter layer is the end of this work.
Thank you for your work on this, Barry, and congratulations!
Edit: …and just for the record, as PEP author, Barry had no part in this decision!