Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #53913

Re: Can I trust downloading Python?

From Tom P <werotizy@freent.dd>
Newsgroups comp.lang.python
Subject Re: Can I trust downloading Python?
Date 2013-09-10 12:26 +0200
Message-ID <b98affFgnbgU2@mid.individual.net> (permalink)
References <31jXt.43447$Hr1.23199@en-nntp-03.dc1.easynews.com> <522e626c$0$29988$c3e8da3$5496439d@news.astraweb.com> <mailman.205.1378806345.5461.python-list@python.org>

Show all headers | View raw

On 10.09.2013 11:45, Oscar Benjamin wrote:
> On 10 September 2013 01:06, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:
>> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>>
>> But really, we've learned *nothing* from the viruses of the 1990s.
>> Remember when we used to talk about how crazy it was to download code
>> from untrusted sites on the Internet and execute it? We're still doing
>> it, a hundred times a day. Every time you go on the Internet, you
>> download other people's code and execute it. Javascript, Flash, HTML5,
>> PDF are all either executable, or they include executable components. Now
>> they're *supposed* to be sandboxed, but we've gone from "don't execute
>> untrusted code" to "let's hope my browser doesn't have any bugs that the
>> untrusted code might exploit".
>
> You could have also mentioned pip/PyPI in that. 'pip install X'
> downloads and runs arbitrary code from a largely unmonitored and
> uncontrolled code repository. The maintainers of PyPI can only try to
> ensure that the original author of X would remain in control of what
> happens and could remove a package X if it were discovered to be
> malware. However they don't have anything like the resources to
> monitor all the code coming in so it's essentially a system based on
> trust in the authors where the only requirement to be an author is
> that you have an email address. Occasionally I see the suggestion to
> do 'sudo pip install X' which literally gives root permissions to
> arbitrary code coming straight from the net.
>
>
> Oscar
>

Interesting observation

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: Can I trust downloading Python? Fattburger <none@none.com> - 2013-09-09 12:19 +0000
  Re: Can I trust downloading Python? Tony the Tiger <tony@tiger.invalid> - 2013-09-09 14:41 -0500
  Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 00:06 +0000
    Re: Can I trust downloading Python? Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-09-10 10:45 +0100
      Re: Can I trust downloading Python? Tom P <werotizy@freent.dd> - 2013-09-10 12:26 +0200
      Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 14:40 +0000
    Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-10 20:05 +1000
    Re: Can I trust downloading Python? Wolfgang Keller <feliphil@gmx.net> - 2013-09-10 18:20 +0200

csiph-web