Skip to content

Commit b4269b2

Browse files
warsawJelleZijlstra
warsaw
and
JelleZijlstra
authored
PEP 829: Accepted (#4937)
* Accepted Also, updates based on SC acceptance feedback Jelle's suggested clarification of the deprecation process Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
1 parent b167bc8 commit b4269b2

1 file changed

Lines changed: 30 additions & 21 deletions

File tree

peps/pep-0829.rst

Lines changed: 30 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,15 @@ PEP: 829
22
Title: Package Startup Configuration Files
33
Author: Barry Warsaw <barry@python.org>
44
Discussions-To: https://discuss.python.org/t/pep-829-structured-startup-configuration-via-site-toml-files/106789
5-
Status: Draft
5+
Status: Accepted
66
Type: Standards Track
77
Created: 31-Mar-2026
88
Python-Version: 3.15
99
Post-History:
1010
`01-Apr-2026 <https://discuss.python.org/t/pep-829-structured-startup-configuration-files/106789>`__,
1111
`13-Apr-2026 <https://discuss.python.org/t/pep-829-structured-startup-configuration-files/106789/69>`__,
1212
`15-Apr-2026 <https://discuss.python.org/t/pep-829-structured-startup-configuration-files/106789/99>`__
13+
Resolution: `24-Apr-2026 <https://discuss.python.org/t/pep-829-structured-startup-configuration-files/106789/112>`__
1314

1415

1516
Abstract
@@ -21,18 +22,25 @@ Previously controlled through legacy ``.pth`` files parsed and executed by the
2122
``sys.path`` and execute package initialization code before control is passed
2223
to the first line of user code.
2324

24-
``.pth`` files in their historical form have a `long history
25-
<https://github.com/python/cpython/issues/78125>`_ of proposed removal,
26-
primarily because of the obtuse nature of the arbitrary code execution
27-
feature. Recent `supply chain attacks
28-
<https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/>`_
29-
have used arbitrary code execution in ``.pth`` files as an attack vector.
25+
This PEP proposes:
3026

31-
This PEP doesn't completely close this vector, but it does propose an
32-
important and useful improvement, by narrowing the attack surface and enabling
33-
a future policy mechanism for controlling which packages are allowed or
34-
prevented from extending the path and executing start up code. See
35-
:ref:`security` for additional discussion.
27+
* Replacing ``import`` lines in ``.pth`` files with entry point specifications
28+
(i.e. ``pkg.mod:callable``) in ``.start`` files.
29+
* The presence of a matching ``.start`` file disables ``import`` line
30+
processing in the matched ``.pth`` file.
31+
* The ``sys.path`` extension functionality of ``.pth`` files is retained.
32+
33+
Support for ``import`` lines in ``.pth`` files will be gradually removed:
34+
35+
* For the first three years (expected to be Python 3.15, 3.16, and 3.17)
36+
``import`` line processing in ``.pth`` files will remain, *except* in the
37+
presence of a matching ``.start`` file.
38+
39+
* For the next two years (expected to be Python 3.18 and 3.19), ``import``
40+
lines in ``.pth`` files will be silently ignored.
41+
42+
* Afterwards (expected to be Python 3.20 and higher), a warning will be
43+
produced for the existence of ``import`` lines in ``.pth`` files.
3644

3745

3846
Motivation
@@ -316,20 +324,21 @@ utilize the ``import`` line arbitrary code execution feature of current
316324
importable module inside the package, and then name this callable in an entry
317325
point specification inside a ``<name>.start`` file.
318326

327+
319328
.. _security:
320329

321330
Security Implications
322331
=====================
323332

324-
This PEP improves the security posture of interpreter startup.
333+
This PEP makes it easier to audit code execution paths during interpreter startup.
325334

326-
* The removal of arbitrary code execution by :func:`exec` with entry point
327-
execution, which is more constrained and auditable.
328-
329-
* Splitting ``sys.path`` extensioni from code execution into two separate
335+
* Splitting ``sys.path`` extension from code execution into two separate
330336
files means that you can tell by listing the files in the site-dir, exactly
331337
where arbitrary code execution occurs.
332338

339+
* The removal of arbitrary code execution by :func:`exec` with entry point
340+
execution, which is more constrained and auditable.
341+
333342
* Python's import system is used to access and run the entry points, so the
334343
standard audit hooks (:pep:`578`) can provide monitoring.
335344

@@ -339,10 +348,10 @@ This PEP improves the security posture of interpreter startup.
339348
* The ``package.module:callable`` syntax limits execution to callables within
340349
importable modules.
341350

342-
The overall attack surface is not eliminated -- a malicious package can still
343-
cause arbitrary code execution via entry points, but the mechanism proposed in
344-
this PEP is more structured, auditable, and amenable to future policy
345-
controls.
351+
The overall pre-start code execution attack surface is not eliminated by this
352+
PEP. A malicious package can still cause arbitrary code execution via entry
353+
points, but the mechanism proposed in this PEP is more structured, auditable,
354+
and amenable to future policy controls.
346355

347356

348357
.. _teach:

0 commit comments

Comments
 (0)