From dc3ac13750de7df2f48b7808fb7ffca2b1335cf8 Mon Sep 17 00:00:00 2001
From: alexzorin <alex@zorin.id.au>
Date: Sun, 6 Dec 2020 19:10:03 +1100
Subject: [PATCH] snap: disable the "user site-packages directory" (#8509)

Although Certbot is a classic snap, it shouldn't load Python code from
the host system. This change prevents packages being loaded from the
"user site-packages directory" (PEP-370). i.e. Certbot will no longer
load DNS plugins installed via `pip install --user certbot-dns-*`.
---
 certbot/CHANGELOG.md | 3 ++-
 snap/snapcraft.yaml  | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index e987f2a1c..82ba6121a 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -14,7 +14,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Fixed
 
-*
+* The Certbot snap no longer loads packages installed via `pip install --user`. This
+  was unintended and DNS plugins should be installed via `snap` instead.
 
 More details about these changes can be found on our GitHub repo.
 
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index 5fbf8503d..09d409d26 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -20,13 +20,13 @@ adopt-info: certbot
 
 apps:
   certbot:
-    command: bin/python3 $SNAP/bin/certbot
+    command: bin/python3 -s $SNAP/bin/certbot
     environment:
       PATH: "$SNAP/bin:$SNAP/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
       AUGEAS_LENS_LIB: "$SNAP/usr/share/augeas/lenses/dist"
       CERTBOT_SNAPPED: "True"
   renew:
-    command: bin/python3 $SNAP/bin/certbot -q renew
+    command: bin/python3 -s $SNAP/bin/certbot -q renew
     daemon: oneshot
     environment:
       PATH: "$SNAP/bin:$SNAP/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"