@@ -338,14 +338,25 @@ def setup_python(self, context):
338338 shutil .copyfile (src , dst )
339339 break
340340
341+ def _call_new_python (self , context , * py_args , ** kwargs ):
342+ """Executes the newly created Python using safe-ish options"""
343+ # gh-98251: We do not want to just use '-I' because that masks
344+ # legitimate user preferences (such as not writing bytecode). All we
345+ # really need is to ensure that the path variables do not overrule
346+ # normal venv handling.
347+ args = [context .env_exec_cmd , * py_args ]
348+ kwargs ['env' ] = env = os .environ .copy ()
349+ env ['VIRTUAL_ENV' ] = context .env_dir
350+ env .pop ('PYTHONHOME' , None )
351+ env .pop ('PYTHONPATH' , None )
352+ kwargs ['cwd' ] = context .env_dir
353+ kwargs ['executable' ] = context .env_exec_cmd
354+ subprocess .check_output (args , ** kwargs )
355+
341356 def _setup_pip (self , context ):
342357 """Installs or upgrades pip in a virtual environment"""
343- # We run ensurepip in isolated mode to avoid side effects from
344- # environment vars, the current directory and anything else
345- # intended for the global Python environment
346- cmd = [context .env_exec_cmd , '-Im' , 'ensurepip' , '--upgrade' ,
347- '--default-pip' ]
348- subprocess .check_output (cmd , stderr = subprocess .STDOUT )
358+ self ._call_new_python (context , '-m' , 'ensurepip' , '--upgrade' ,
359+ '--default-pip' , stderr = subprocess .STDOUT )
349360
350361 def setup_scripts (self , context ):
351362 """
@@ -444,9 +455,8 @@ def upgrade_dependencies(self, context):
444455 logger .debug (
445456 f'Upgrading { CORE_VENV_DEPS } { context .bin_path }
446457 )
447- cmd = [context .env_exec_cmd , '-m' , 'pip' , 'install' , '--upgrade' ]
448- cmd .extend (CORE_VENV_DEPS )
449- subprocess .check_call (cmd )
458+ self ._call_new_python (context , '-m' , 'pip' , 'install' , '--upgrade' ,
459+ * CORE_VENV_DEPS )
450460
451461
452462def create (env_dir , system_site_packages = False , clear = False ,
0 commit comments