You still have the option to choose not to use a venv and risk breaking your user space.
The changes make this harder to do it by accident by encouraging use of a venv. Part of the problem is that pip install --user is not exactly in the user space and may in fact break system packages, and as you wrote, the user shouldn’t be able to inadvertently change the OS.
Makes more sense and I agree, especially with the apparent ease of pip install --user. But there should be no barriers when the root user is used with pip install --system.
You still have the option to choose not to use a venv and risk breaking your user space.
The changes make this harder to do it by accident by encouraging use of a venv. Part of the problem is that
pip install --useris not exactly in the user space and may in fact break system packages, and as you wrote, the user shouldn’t be able to inadvertently change the OS.Makes more sense and I agree, especially with the apparent ease of
pip install --user. But there should be no barriers when the root user is used withpip install --system.So the problem here is that you can inject code into a system python process because they run with the user’s python install location on their path.
They’ve fixed the wrong “root cause”.