[Python-Dev] Keyword meanings [was: Accept just PEP-0426]
Donald Stufft
donald.stufft at gmail.com
Thu Dec 6 00:30:41 CET 2012
More information about the Python-Dev mailing list
Thu Dec 6 00:30:41 CET 2012
- Previous message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Next message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday, December 5, 2012 at 6:18 PM, Barry Warsaw wrote: > On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote: > > > If you're installing B you've prescribed trust to that author. If you don't > > trust the author then why are you installing (and then executing) code > > they wrote. > > > > > What you installed Z, but B got installed because it was a dependency three > levels down? > > Sure, you granted trust to Z, Z granted trust to Y, and Y granted trust to B. Like in SSL certificates there was a chain of trust. If you don't trust Z then don't install their package. > > > Very convenient to declare that one of the major use cases for > > Obsoletes over Obsoleted-By is not valid because of your own > > personal opinions. Like I said above, if you're installing a package > > that someone has uploaded you've implicitly granted them trust. There > > is far worse things that a bad Python citizen can do during, and after > > and install that what is allowed by Obsoletes. > > > > > Well, basically never installing anything from PyPI except into a virtualenv > is probably a good recommendation (maybe even now). > > A virtualenv only protects you from well behaved packages. There is no way to prevent a package author from doing very nasty things to you if they wish. Providing more power in the metadata doesn't make this situation better or worse, it just makes more standard paths in the cases where you do need to do it. > > > End systems often times do not have a singular organization controlling > > every package in their system. The best example is Ubuntu and their PPA's. > > > > > Well, PPAs are awesome, but have known and well-publicized trust issues. I > wouldn't enable a PPA into my running system without really knowing who the > owner is and why I'm using their PPA. Or doing a lot of testing in a chroot > first, and probably pinning the package set to just the one(s) from the PPA I > care about. > > Basically the same thing can be said about packages on PyPI. All the same trust issues exist there. Simply installing a Python package is already granting far more trust than Obsoletes requires since installing a package is executed someone else's python code on your system. Even if you remove setup.py you're still going to be executing their code on your system. If you do not trust the author of the packages you are installing, you do not install their packages. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20121205/bf8de20b/attachment.html>
- Previous message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Next message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list