tiran · July 19, 2025 10:03 · May 19, 2021 · Jan 19, 2021 · Nov 20, 2020 · Nov 20, 2020
diff --git a/python-on-debian.md b/python-on-debian.md
@@ -127,6 +127,8 @@ Debian/Ubuntu have applied downstream patches to OpenSSL. The patches have cause
 * https://bugs.python.org/issue26867
 * https://github.com/python/cpython/blob/v3.6.12/Lib/test/test_ssl.py#L133-L147
 * https://github.com/python/cpython/blob/v3.6.12/Lib/test/test_ssl.py#L149-L178
+* https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
+* https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
 
 
 ## lib2to3 is missing
@@ -158,6 +160,10 @@ zoneinfo._common.ZoneInfoNotFoundError: 'No time zone found with key CET'
 
 **UPDATE** My launchpad bug [1904271](https://bugs.launchpad.net/bugs/1904271) was closed as **Invalid**. Matthias wrote that ``tzdata`` is a required package and pointed to [Debian policy](https://www.debian.org/doc/debian-policy/ch-archive.html#priorities). However the package is not installed by default in the official Debian and Ubuntu container images.
 
+## New virtualenvs contain unwanted libraries
+
+Virtualenvs contain de-vendored dependencies of pip and setuptools, https://bugs.launchpad.net/ubuntu/+source/python-virtualenv/+bug/1904945
+
 # Expectations and Proposal
 
 Minimalization of Python installation is a legitimate effort. However a minimal installation of Python with core features missing should not be called a Python installation. Users should expect that ``package-manager install python3`` gets them a working Python interpreter with majority of stdlib packages (with exception to ``tkinter`` GUI and ``test`` package).

diff --git a/python-on-debian.md b/python-on-debian.md
@@ -120,7 +120,14 @@ urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certifica
 
 ## Incompatible OpenSSL downstream patch
 
-Debian/Ubuntu have applied downstream patches to OpenSSL that cause test failures in ``test_ssl``, https://bugs.python.org/issue41561.
+Debian/Ubuntu have applied downstream patches to OpenSSL. The patches have caused breakage of user applications or Python's CI tests. Examples for issues and workarounds:
+
+* https://bugs.python.org/issue41561
+* https://bugs.python.org/issue31453
+* https://bugs.python.org/issue26867
+* https://github.com/python/cpython/blob/v3.6.12/Lib/test/test_ssl.py#L133-L147
+* https://github.com/python/cpython/blob/v3.6.12/Lib/test/test_ssl.py#L149-L178
+
 
 ## lib2to3 is missing
 

diff --git a/python-on-debian.md b/python-on-debian.md
@@ -43,6 +43,8 @@ package, recreate your virtual environment.
 Failing command: ['/tmp/venv/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']
 ```
 
+**Update** Julien Palard [wrote](https://gist.github.com/2dec9e03c6f901814f6d1e8dad09528e#gistcomment-3534786) that one of his students ran into another issue with ``venv``. Debian's ``venv`` can give an invalid advise when a user has multiple Python versions installed.
+
 ## ensurepip is missing
 
 The [ensurepip](https://docs.python.org/3/library/ensurepip.html) package is part of Python's standard library and provides support for bootstrapping the pip installer into an existing Python installation or virtual environment. The ``ensurepip`` package is missing on Debian/Ubuntu.

diff --git a/python-on-debian.md b/python-on-debian.md
@@ -147,6 +147,8 @@ zoneinfo._common.ZoneInfoNotFoundError: 'No time zone found with key CET'
 
 **NOTE** The issue has been fixed by Anthony Sottile in Deadsnakes PPA, see [comment](https://github.com/deadsnakes/issues/issues/144#issuecomment-726979092).
 
+**UPDATE** My launchpad bug [1904271](https://bugs.launchpad.net/bugs/1904271) was closed as **Invalid**. Matthias wrote that ``tzdata`` is a required package and pointed to [Debian policy](https://www.debian.org/doc/debian-policy/ch-archive.html#priorities). However the package is not installed by default in the official Debian and Ubuntu container images.
+
 # Expectations and Proposal
 
 Minimalization of Python installation is a legitimate effort. However a minimal installation of Python with core features missing should not be called a Python installation. Users should expect that ``package-manager install python3`` gets them a working Python interpreter with majority of stdlib packages (with exception to ``tkinter`` GUI and ``test`` package).

diff --git a/python-on-debian.md b/python-on-debian.md
@@ -128,6 +128,25 @@ The ``lib2to3`` package is moved to ``python3-lib2to3`` package, which is not in
 
 The [tkinter](https://docs.python.org/3/library/tkinter.html) package is not part of the default distribution. For once this is a good decision. ``tkinter`` depends on ``libtk`` and whole lot of X11 libraries. Graphical user interface libraries should not be installed by default on headless servers and containers. I just find it confusing that the ``tkinter`` package is provided by a ``python3-tk`` package and not by ``python3-tkinter``.
 
+## Python 3.9 is missing dependency on tzdata
+
+Paul Ganssle added a zoneinfo implementation with timezons to Python 3.9, see [PEP 615](https://www.python.org/dev/peps/pep-0615/). The feature requires ``tzdata`` database. As of 2020-11-13 Debian and Ubuntu's ``python3.9`` package are missing a dependency on the ``tzdata`` package. The ``zoneinfo`` module does not work without ``tzdata``:
+
+```
+>>> import zoneinfo
+>>> zoneinfo.available_timezones()
+set()
+>>> zoneinfo.ZoneInfo("CET")
+...
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+  File "/usr/lib/python3.9/zoneinfo/_common.py", line 24, in load_tzdata
+    raise ZoneInfoNotFoundError(f"No time zone found with key {key}")
+zoneinfo._common.ZoneInfoNotFoundError: 'No time zone found with key CET'
+```
+
+**NOTE** The issue has been fixed by Anthony Sottile in Deadsnakes PPA, see [comment](https://github.com/deadsnakes/issues/issues/144#issuecomment-726979092).
+
 # Expectations and Proposal
 
 Minimalization of Python installation is a legitimate effort. However a minimal installation of Python with core features missing should not be called a Python installation. Users should expect that ``package-manager install python3`` gets them a working Python interpreter with majority of stdlib packages (with exception to ``tkinter`` GUI and ``test`` package).

diff --git a/python-on-debian.md b/python-on-debian.md
@@ -126,4 +126,15 @@ The ``lib2to3`` package is moved to ``python3-lib2to3`` package, which is not in
 
 ## tkinter is in an extra package (ok)
 
-The [tkinter](https://docs.python.org/3/library/tkinter.html) package is not part of the default distribution. For once this is a good decision. ``tkinter`` depends on ``libtk`` and whole lot of X11 libraries. Graphical user interface libraries should not be installed by default on headless servers and containers. I just find it confusing that the ``tkinter`` package is provided by a ``python3-tk`` package and not by ``python3-tkinter``.
+The [tkinter](https://docs.python.org/3/library/tkinter.html) package is not part of the default distribution. For once this is a good decision. ``tkinter`` depends on ``libtk`` and whole lot of X11 libraries. Graphical user interface libraries should not be installed by default on headless servers and containers. I just find it confusing that the ``tkinter`` package is provided by a ``python3-tk`` package and not by ``python3-tkinter``.
+
+# Expectations and Proposal
+
+Minimalization of Python installation is a legitimate effort. However a minimal installation of Python with core features missing should not be called a Python installation. Users should expect that ``package-manager install python3`` gets them a working Python interpreter with majority of stdlib packages (with exception to ``tkinter`` GUI and ``test`` package).
+
+I propose
+
+1) Debian's current minimized Python package ``python3`` should rather be called ``python3-minimal`` or something similar. This package would still users to get a stripped down interpreter if they explicitly ask for it.
+2) ``apt install python3`` should provide a Python installation with working venv, ensurepip (\*), distutils, and ssl modules.
+
+(\*) I define *working ensurepip* as ``python3 -m ensurepip`` does not fail and ``python3 -m pip`` works afterwards. It does not imply that stdlib's pip bundle must be shipped with Python distribution package. Debian could also provide an API compatible ``ensurepip`` facade and make ``python3`` package depend on ``python3-pip``.
diff --git a/python-on-debian.md b/python-on-debian.md
@@ -0,0 +1,129 @@
+# Negative Python user experience on Debian/Ubuntu
+
+The user experience of Python on a minimal Debian or Ubuntu installation is bad. Core features like virtual environments, pip bootstrapping, and the ssl module are either missing or do not work like designed and documented. Some Python core developers including me are worried and consider Debian/Ubuntu's packaging harmful for Python's reputation and branding. Users don't get what they expect.
+
+## Reproducer
+
+The problems can be easily reproduced with official Debian and Ubuntu containers in Docker or Podman. Debian Stable (Debian 10 Buster) comes with Python 3.7.3. Ubuntu Focal (20.04 LTS) has Python 3.8.5. 
+
+### Run Debian container
+
+```
+$ docker run -ti debian:stable
+```
+
+### Run Ubuntu container
+
+```
+$ docker run -ti ubuntu:focal
+```
+
+### Install Python3
+
+```
+# apt update
+# apt install python3
+```
+
+## venv is broken
+
+[venv](https://docs.python.org/3/library/venv.html) is another Python standard library module. It provides support for creating lightweight "virtual environments". The ``venv`` module is available but dysfunctional. It cannot create virtual environments out of the box.
+
+```
+# python3 -m venv /tmp/venv
+The virtual environment was not created successfully because ensurepip is not
+available.  On Debian/Ubuntu systems, you need to install the python3-venv
+package using the following command.
+
+    apt-get install python3-venv
+
+You may need to use sudo with that command.  After installing the python3-venv
+package, recreate your virtual environment.
+
+Failing command: ['/tmp/venv/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']
+```
+
+## ensurepip is missing
+
+The [ensurepip](https://docs.python.org/3/library/ensurepip.html) package is part of Python's standard library and provides support for bootstrapping the pip installer into an existing Python installation or virtual environment. The ``ensurepip`` package is missing on Debian/Ubuntu.
+
+```
+# python3 -m ensurepip
+/usr/bin/python3: No module named ensurepip
+# pip
+bash: pip: command not found
+```
+
+After installation of ``python3-venv``, the ``ensurepip`` package is failing with a different error message:
+
+```
+# python3 -m ensurepip
+ensurepip is disabled in Debian/Ubuntu for the system python.
+
+Python modules for the system python are usually handled by dpkg and apt-get.
+
+    apt-get install python-<module name>
+
+Install the python-pip package to use pip itself.  Using pip together
+with the system python might have unexpected results for any system installed
+module, so use it on your own risk, or make sure to only use it in virtual
+environments.
+# echo $?
+1
+```
+
+## distutils is stripped down and missing most code
+
+The ``distutils`` package is mostly missing. Only the package root and ``distutils.version`` is available. The remaining code has been moved to ``python3-distutils`` by Debian/Ubuntu packagers. The ``python3-distutils`` is not installed with ``python3`` and must be installed separately.
+
+```
+# python3
+Python 3.7.3 (default, Jul 25 2020, 13:03:44)  
+[GCC 8.3.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import distutils
+>>> from distutils import sysconfig
+Traceback (most recent call last):
+ File "<stdin>", line 1, in <module>
+ImportError: cannot import name 'sysconfig' from 'distutils' (/usr/lib/python3.7/distutils/__init__.py)
+```
+
+## ssl module cannot verify connections
+
+A minimal installation has no CA certificates because neither the ``python3`` package nor OpenSSL libraries depend on ``ca-certificates``.
+
+* Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869
+* Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1879310
+
+```
+>>> import urllib.request
+>>> urllib.request.urlopen("https://pypi.org/")
+Traceback (most recent call last):
+ ...
+ File "<stdin>", line 1, in <module>
+ File "/usr/lib/python3.7/urllib/request.py", line 222, in urlopen
+   return opener.open(url, data, timeout)
+ File "/usr/lib/python3.7/urllib/request.py", line 525, in open
+   response = self._open(req, data)
+ File "/usr/lib/python3.7/urllib/request.py", line 543, in _open
+   '_open', req)
+ File "/usr/lib/python3.7/urllib/request.py", line 503, in _call_chain
+   result = func(*args)
+ File "/usr/lib/python3.7/urllib/request.py", line 1367, in https_open
+   context=self._context, check_hostname=self._check_hostname)
+ File "/usr/lib/python3.7/urllib/request.py", line 1326, in do_open
+   raise URLError(err)
+urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>
+```
+
+## Incompatible OpenSSL downstream patch
+
+Debian/Ubuntu have applied downstream patches to OpenSSL that cause test failures in ``test_ssl``, https://bugs.python.org/issue41561.
+
+## lib2to3 is missing
+
+The ``lib2to3`` package is moved to ``python3-lib2to3`` package, which is not installed by default.
+
+## tkinter is in an extra package (ok)
+
+The [tkinter](https://docs.python.org/3/library/tkinter.html) package is not part of the default distribution. For once this is a good decision. ``tkinter`` depends on ``libtk`` and whole lot of X11 libraries. Graphical user interface libraries should not be installed by default on headless servers and containers. I just find it confusing that the ``tkinter`` package is provided by a ``python3-tk`` package and not by ``python3-tkinter``.