Install as user from git with pip install --user -e . does not work

[boeddeker]

Description

pip does not work well together with pyproject.toml and a --user flag.
This is a common problem across several python projects and I got the impression, that the pip package won't fix it.
Is it possible, that you fix it in your setup.py?

PIP issue: pypa/pip#7953

Fix from another package: https://github.com/fgnt/paderbox/pull/58/files

Reproduce

Note: I have no write permissions to the python installation, but with the --user flag it should not be necessary.

$ git clone git@github.com:jupyter-widgets/ipywidgets.git
$ cd ipywidgets/python/ipywidgets
$ pip install --user -e .
...
    ERROR: Command errored out with exit status 1:
...
        [Errno 13] Permission denied: '/net/software/python/2020_06/anaconda/lib/python3.7/site-packages/test-easy-install-24772.write-test'
...

Expected behavior

No error message.

[jasongrout]

Thanks for pointing this out.

I don't think we should be setting ENABLE_USER_SITE ourselves, like in the workaround you linked above. It has specific security meanings, for example: https://docs.python.org/3/library/site.html#site.ENABLE_USER_SITE

From the discussion over there, another workaround is pip install --prefix=~/.local -e (where ~/.local is the --user site directory)

[boeddeker]

I don't get it, why it has security meanings. In python, there are several workarounds.
In this situation, the user can simply add my suggested workaround to the setup.py file.

So the security here is, that the user has no idea what he/she is doing and gets an error.

I care more about usability and wasting time of someone that wants to use a package:
Getting unnecessary errors is annoying and even more, when the error message does
not tell what went wrong. I personally like, that in python most of the time, things just work.

From the discussion over there, another workaround is pip install --prefix=~/.local -e (where ~/.local is the --user site directory)

I think the right user site workaround would be pip install --prefix=$(python -m site --user-base) -e ..
But I opened this issue in the hope, that in the future no other user of ipywidgets will see this error.

[jasongrout]

I don't get it, why it has security meanings.

From the docs I linked above:

False means that it was disabled by user request (with -s or PYTHONNOUSERSITE). None means it was disabled for security reasons (mismatch between user or group id and effective id) or by an administrator.

My concern is overriding a system value that has ramifications throughout Python, and may have been set for specific security reasons, to work around what seems to be a pip bug.

Thanks for the more correct user site workaround. I think that should go into the contributor docs, at the very least.

[jasongrout]

This install workaround is documented in #3360.