PEP 829: A few last DPO thread updates (#4911)

warsaw · web-flow · commit 3956ef9c6287 · 2026-04-14T19:58:25.000-07:00
diff --git a/peps/pep-0829.rst b/peps/pep-0829.rst
@@ -30,7 +30,8 @@ have used arbitrary code execution in ``.pth`` files as an attack vector.
 This PEP doesn't completely close this vector, but it does propose an
 important and useful improvement, by narrowing the attack surface and enabling
 a future policy mechanism for controlling which packages are allowed or
-prevented from extending the path and executing start up code.
+prevented from extending the path and executing start up code.  See
+:ref:`security` for additional discussion.
 
 
 Motivation
@@ -90,10 +91,12 @@ This PEP proposes the following:
 
   During the deprecation period, for any ``<name>.pth`` file without a
   matching ``<name>.start`` file, the processing of the former is unchanged,
-  although a warning about ``import`` lines is issued.  After the deprecation
-  period ``import`` lines in ``<name>.pth`` files are ignored and a warning is
-  issued, regardless of whether there is a matching ``<name>.start`` file or
-  not.
+  although a warning about ``import`` lines is issued when ``-v`` (verbose)
+  flag is given to Python.
+
+  After the deprecation period ``import`` lines in ``<name>.pth`` files are
+  ignored and a warning is issued, regardless of whether there is a matching
+  ``<name>.start`` file or not.
 
   See the :ref:`teach` section for specific migration guidelines.
 
@@ -113,6 +116,10 @@ both files.
    all path extensions, preserving order file-by-file and then by entry
    appearance. Duplicates are ignored.
 
+#. During the deprecation period, collect ``import`` lines found from
+   ``<name>.pth`` files.  Processing of these lines is deferred until after
+   ``<name>.start`` file scanning.
+
 #. *Future extension:* apply a :ref:`global policy filter <future>` on the
    list of path extensions.
 
@@ -121,6 +128,10 @@ both files.
 #. List all ``<name>.start`` files (see :ref:`discovery` for additional
    details) and sort them in alphabetical order by filename.
 
+   For any ``<name>.start`` that matches a previously scanned ``<name>.pth``
+   file, discard all ``import`` lines from those matched ``<name>.pth`` files.
+   See the :ref:`teach` section for more details and rationale.
+
 #. Parse the ``<name>.start`` files in sorted order, keeping a global list of
    all entry points, preserving order file-by-file and then by entry
    appearance.  Duplicates are :ref:`not ignored <duplicate-eps>`.
@@ -290,6 +301,7 @@ utilize the ``import`` line arbitrary code execution feature of current
 importable module inside the package, and then name this callable in an entry
 point specification inside a ``<name>.start`` file.
 
+.. _security:
 
 Security Implications
 =====================
@@ -299,6 +311,10 @@ This PEP improves the security posture of interpreter startup.
 * The removal of arbitrary code execution by :func:`exec` with entry point
   execution, which is more constrained and auditable.
 
+* Splitting ``sys.path`` extensioni from code execution into two separate
+  files means that you can tell by listing the files in the site-dir, exactly
+  where arbitrary code execution occurs.
+
 * Python's import system is used to access and run the entry points, so the
   standard audit hooks (:pep:`578`) can provide monitoring.
 
@@ -414,6 +430,14 @@ Open Issues
 Change History
 ==============
 
+``TBD``
+
+* During the deprecation period, warnings about ``import`` lines in
+  ``<name>.pth`` files with no matching ``<name>.start`` file are only issued
+  when ``-v`` (verbose) is given.
+* Clarify that ``import`` lines in ``<name>.pth`` files where there is a
+  matching ``<name>.start`` file are ignored.
+
 `13-Apr-2026 <https://discuss.python.org/t/pep-829-structured-startup-configuration-files/106789/69>`__
 
 * Changed the PEP title.
