Real script directory leaks to `sys.path` and breaks hermeticity.

[zhe-tao]

Problem

In short, we (in the end) run a script with the command

bazel_python/pywrapper.sh

Line 13 in 538f6cf

python $@

But python prepends the real script directory to sys.path:

python script.py command line: prepend the script’s directory. If it’s a symbolic link, resolve symbolic links.

which exposes many local files and overrides runfiles, especially when the script is under the workspace root.

Solution

I plan to either require python to not prepend them and add the script (symbolic link) directory to PYTHONPATH, or just setup the PYTHONSAFEPATH in pywrapper.sh.

I was experimenting with building python modules with C/C++ extensions in Bazel. Although the Bazel runtime environment/runfiles looks all right, the script just can not find the built dynamic libraries because the very first search path in sys.path is the real bare root directory.

[zhe-tao]

Unfortunately both solutions are introduced in 3.11, which is not ready for us. I will try to just remove the symbolic link and copy the script.