Package: virtualenv Version: 15.1.0+ds-1 Severity: normal Dear Maintainer,
The man page for virtualenv does not mention the --no-download option, and does not indicate that the program's default behavior - i.e., upon invoking 'virtualenv foo' - is to automatically download and install code from the Internet. (Whether or not virtualenv per se actually executes any of that code, I'm not sure.) This default behavior is a bad idea, to begin with... - there's no guarantee that the code downloaded is free software - there's no guarantee that the code downloaded won't change its behavior from one day to the next - there isn't even any authentication of the code's authorship, beyond verifying the TLS certificate of 'pypi.python.org' ...which of course are also problems with many typical uses of pip, but in that case the user is at least arguably making a deliberate choice. This is a major change in behavior, compared to the behavior of virtualenv in jessie; and it's one that violates (at least) my expectations as a Debian user. That said, I'm sure some people would say that this is exactly what virtualenv is "supposed" to do. At a minimum, this behavior should be documented, along with the option needed to obtain the old sane behavior. -- System Information: Debian Release: 9.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/40 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages virtualenv depends on: ii python3 3.5.3-1 ii python3-virtualenv 15.1.0+ds-1 virtualenv recommends no packages. virtualenv suggests no packages. -- debconf-show failed
