Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #53913
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail |
|---|---|
| From | Tom P <werotizy@freent.dd> |
| Newsgroups | comp.lang.python |
| Subject | Re: Can I trust downloading Python? |
| Date | Tue, 10 Sep 2013 12:26:55 +0200 |
| Lines | 32 |
| Message-ID | <b98affFgnbgU2@mid.individual.net> (permalink) |
| References | <31jXt.43447$Hr1.23199@en-nntp-03.dc1.easynews.com> <522e626c$0$29988$c3e8da3$5496439d@news.astraweb.com> <mailman.205.1378806345.5461.python-list@python.org> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Trace | individual.net EZA3+oPRvHW+G6f0UvfbdAPlW2UbA572EYFhPr5GHUkfRODe4= |
| Cancel-Lock | sha1:K/19TOAeB/YoUNIZiKmhmkXSyws= |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 |
| In-Reply-To | <mailman.205.1378806345.5461.python-list@python.org> |
| Xref | csiph.com comp.lang.python:53913 |
Show key headers only | View raw
On 10.09.2013 11:45, Oscar Benjamin wrote: > On 10 September 2013 01:06, Steven D'Aprano > <steve+comp.lang.python@pearwood.info> wrote: >> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote: >> >> But really, we've learned *nothing* from the viruses of the 1990s. >> Remember when we used to talk about how crazy it was to download code >> from untrusted sites on the Internet and execute it? We're still doing >> it, a hundred times a day. Every time you go on the Internet, you >> download other people's code and execute it. Javascript, Flash, HTML5, >> PDF are all either executable, or they include executable components. Now >> they're *supposed* to be sandboxed, but we've gone from "don't execute >> untrusted code" to "let's hope my browser doesn't have any bugs that the >> untrusted code might exploit". > > You could have also mentioned pip/PyPI in that. 'pip install X' > downloads and runs arbitrary code from a largely unmonitored and > uncontrolled code repository. The maintainers of PyPI can only try to > ensure that the original author of X would remain in control of what > happens and could remove a package X if it were discovered to be > malware. However they don't have anything like the resources to > monitor all the code coming in so it's essentially a system based on > trust in the authors where the only requirement to be an author is > that you have an email address. Occasionally I see the suggestion to > do 'sudo pip install X' which literally gives root permissions to > arbitrary code coming straight from the net. > > > Oscar > Interesting observation
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: Can I trust downloading Python? Fattburger <none@none.com> - 2013-09-09 12:19 +0000
Re: Can I trust downloading Python? Tony the Tiger <tony@tiger.invalid> - 2013-09-09 14:41 -0500
Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 00:06 +0000
Re: Can I trust downloading Python? Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-09-10 10:45 +0100
Re: Can I trust downloading Python? Tom P <werotizy@freent.dd> - 2013-09-10 12:26 +0200
Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 14:40 +0000
Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-10 20:05 +1000
Re: Can I trust downloading Python? Wolfgang Keller <feliphil@gmx.net> - 2013-09-10 18:20 +0200
csiph-web