macOS Implications of upgrading Python?

[macstatic]

Terminal tells me that I currently have Python version 2.7.16 installed. I assume it came with MacOS 10.13. (High Sierra) which I'm still using for various reasons.

$ python --version
Python 2.7.16

I'm not into programming and have no idea how to use, or have had any use for Python, but the "Open with" Firefox extension is dependant upon Python, and the latest version demands Python 3.2 or newer.
I looked up how to install/upgrade Python and found this (using Homebrew which I've already installed and used for many other things) and this, so I suppose it's just a matter of entering the following Terminal command:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

But I'm wondering if there are any downsides to this? Can it possibly break something else (I don't know of anything else on my Mac that uses Python, but then again I don't know everything that happens "under the hood")? Will it use up a lot of extra disk space? Anything else I need to keep in mind before attempting this?
(PS: I have been able to re-install an older version of the "Open with" Firefox extension, so I can handle just keeping the current version of Python, but I understand that for security reasons using the latest version is recommended).

 

[casperes1996]

It is not a concern to install the latest Python 3 version with Home-brew. It does not interfere with the system Python2; They will exist side-by-side, and the Terminal command to use the home-brew Python 3 will be python3 not just python which will still use the system package

 

[macstatic]

Thanks. Sounds like I have nothing to lose by installing version 3
However, something went wrong when trying to install it, using the command from my previous posting:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

which gave me all sorts of error messages:

==> Downloading and installing Homebrew...
HEAD is now at 3e257890d Merge pull request #14367 from Homebrew/dependabot/bundler/Library/Homebrew/rubocop-rspec-2.17.0
fatal: Couldn't find remote ref refs/heads/master
Error: Fetching /usr/local/Homebrew/Library/Taps/osx-cross/homebrew-avr failed!
Updated 2 taps (homebrew/cask and homebrew/core).
Failed during: /usr/local/bin/brew update --force --quiet
$

Any idea why and what I can do about it?

 

[casperes1996]

According to the install script the oldest macOS version supported by Home-brew currently is Big Sur, 11.0.
Haven't looked enough at it to conclude why exactly it fails but given the above I think installing Python3 in an alternate way is a better approach regardless.

Home-brew is nice for managing packages, updates, removes, etc. But if you just want to install Python, you can download regular user-facing installer packages here

Python Releases for macOS

The official home of the Python Programming Language

www.python.org

Can be installed the same way you would install a lot of other end-user software.

If you'd like to install it with a package manager like home-brew, you may try and see if the latest release of Mac Ports is still compatible with your operating system. It fills a very similar role to Homebrew

This is the latest stable version of Python on MacPorts

Install python311 on macOS with MacPorts

ports.macports.org

 

[Nygaard]

As @casperes1996 said, installing it from the official Python website is the best way to go. They went to the trouble of making an installer and (presumably) testing it, so it aught to install successfully. And if it doesn't, the developers probably would like to know so they can fix it.

And as a general rule, don't blindly copy and paste commands into Terminal, regardless of where the commands came from. This cute trend of /bin/bash -c "$(curl ...)" stuff is bad practice. Just download the script manually, review what it's doing, and run it only if you trust it and are prepared to deal with any consequences/errors.

 

[casperes1996]

And as a general rule, don't blindly copy and paste commands into Terminal, regardless of where the commands came from. This cute trend of /bin/bash -c "$(curl ...)" stuff is bad practice. Just download the script manually, review what it's doing, and run it only if you trust it and are prepared to deal with any consequences/errors.

This is a bit off topic, but yes. I really like home-brew, but it pains me that their install procedure on their website is this.

On the other hand however, you can argue that it's not too different from an installer pkg or similar that may be closed source that the user double clicks and clicks through installation prompts on. Unless you run with sudo at least damage is somewhat limited in potential, assuming security works as expected.

But ultimately I don't like it either

 

[Nygaard]

I'm not sure what security restrictions package installers have. If it's anything like the sandboxing/hardened runtime for applications, then you can't even sneeze without asking the user. The code is probably also signed, so any modifications are flagged by the OS and prevent the executable from running. (I'm not a particular fan of all this security, but it is what it is. Also, how the security plays out in practice is a separate question).

On the other hand, running a bare script can do anything the user can, including corrupting/deleting precious files (intentionally or unintentionally). Sure, some of the damage is mitigated by privileges, but the damage that can be done is non-negligible. And for the truly paranoid, bad actors can somewhat detect the one-liner and return a different payload, among other things.

 

[casperes1996]

I'm not sure what security restrictions package installers have. If it's anything like the sandboxing/hardened runtime for applications, then you can't even sneeze without asking the user. The code is probably also signed, so any modifications are flagged by the OS and prevent the executable from running. (I'm not a particular fan of all this security, but it is what it is. Also, how the security plays out in practice is a separate question).

On the other hand, running a bare script can do anything the user can, including corrupting/deleting precious files (intentionally or unintentionally). Sure, some of the damage is mitigated by privileges, but the damage that can be done is non-negligible. And for the truly paranoid, bad actors can somewhat detect the one-liner and return a different payload, among other things.

All of this is true.

Regular installers that utilise the macOS installer do have some limitations as well though I forget the exact setup of what you may and may not do from it. But people can package their own installer programs, but you're of course also right about signatures and general sandboxing measures. Though some installers for legitimate software want you to give them root access to install and whatnot.

Regardless, we're generally in agreement here. An install script you curl and execute could easily have "rm -rf *" in there and boom, your home directory gets cleared. And yeah if you copy paste it can even show you one thing in the browser but place another thing in your clipboard where proceeding too fast can cause trouble and all sorts. Lots of ways this sort of thing can go wrong.
To my knowledge the Home-brew page or install script have never been taken over and HTTPS certificates provides some ensurance against man-in-the-middle attacks too, but it's definitely a concern worth noting

 

[macstatic]

As @casperes1996 said, installing it from the official Python website is the best way to go. They went to the trouble of making an installer and (presumably) testing it, so it aught to install successfully. And if it doesn't, the developers probably would like to know so they can fix it.

And as a general rule, don't blindly copy and paste commands into Terminal, regardless of where the commands came from. This cute trend of /bin/bash -c "$(curl ...)" stuff is bad practice. Just download the script manually, review what it's doing, and run it only if you trust it and are prepared to deal with any consequences/errors.

I see what you're saying. The problem however is for end-users such as myself (barely understanding what a script does when reading its code), just can't tell what could be potentially harmful or not.
Are you saying that whenever possible I should try to find a Mac specific installer and not use Homebrew or pick up "how to" website instructions using the Terminal?

By the way, looks like the installation worked well and I now have two Python versions available:

$ python --version
Python 2.7.16
$ python3 --version
Python 3.11.1

 

[Nygaard]

Are you saying that whenever possible I should try to find a Mac specific installer and not use Homebrew or pick up "how to" website instructions using the Terminal?

Correct. Actually, a dedicated application (a standard .app, rather than a .pkg) is even more preferable, since it (usually) doesn't install anything – it just runs. It's also less likely to cause issues in the future.

Ultimately it boils down to a question of trust.

 

[casperes1996]

I see what you're saying. The problem however is for end-users such as myself (barely understanding what a script does when reading its code), just can't tell what could be potentially harmful or not.
Are you saying that whenever possible I should try to find a Mac specific installer and not use Homebrew or pick up "how to" website instructions using the Terminal?

Generally avoid running commands you don't know what do, yes. As Nygaard says, it boils down to trust. If you look up something and find a post here where I tell someone to run a command, and you trust both me and that MacRumors has not been taken over, then you can run it. But I generally provide explanations of what it does not just commands for people to blindly run. But remember it's a chain of trust. It's not just, in this example, me and my post. It's your network, MacRumors and anywhere in between - even yourself. Do you feel confident enough in your understanding of the explanation of the command that you're not running something bad that might be good for another situation?

I generally trust Home-brew and think it's a great package manager. I install everything with it, it simplifies installation, removal, updating - It also checks integrity by validating the hashes of packages it downloads, making sure no network corruptions happened during transfer. But the tool isn't so much made for end-users as it is power users and developers. You can use Home-brew and be happy with it I'm sure, but the official installation method is, as per discussed here, not ideal. But if you know what you're doing and you trust the taps (home-brew terminology for where it gets its descriptions of packages from) it's a good way of managing software.

If you're not comfortable with the Terminal and you don't want to become so, avoid it when possible. But if you want to learn and become comfortable with it, that's only a good thing. A great tip I can give is that almost everything you can do in the Terminal will have man pages (manuals) and help pages available. If you're in doubt about a command you can write
man command
replacing command with the relevant command, and get a manual for it. q closes. Most commands also allow command -h for help summary.

Often Home-brew will really use those .pkg installers behind the scenes so it's not too different in the end. But the pkg installer may be more transparent and easier to understand which for an end-user not comfortable with the Terminal can be safer.