Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <oscar.j.benjamin@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.009
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'essentially': 0.04; 'root': 0.05; 'subject:Python': 0.06; 'javascript,': 0.07; 'pypi': 0.07; 'code"': 0.09; 'executable': 0.09; 'occasionally': 0.09; "people's": 0.09; 'permissions': 0.09; 'runs': 0.10; 'cc:addr :python-list': 0.11; 'cc:name:python list': 0.16; 'components.': 0.16; 'maintainers': 0.16; 'to:addr:pearwood.info': 0.16; 'to:addr:steve+comp.lang.python': 0.16; "to:name:steven d'aprano": 0.16; 'wrote:': 0.18; 'cc:addr:python.org': 0.22; 'install': 0.23; 'mon,': 0.24; 'cc:2**0': 0.24; 'header:In-Reply-To:1': 0.27; "doesn't": 0.30; 'message-id:@mail.gmail.com': 0.30; 'gives': 0.31; 'code': 0.31; 'that.': 0.31; "d'aprano": 0.31; 'really,': 0.31; 'sep': 0.31; 'steven': 0.31; "we're": 0.32; 'bugs': 0.33; 'could': 0.34; 'requirement': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'crazy': 0.36; 'largely': 0.36; 'doing': 0.36; 'subject:?': 0.36; 'anything': 0.39; 'pdf': 0.39; 'address.': 0.39; 'either': 0.39; 'how': 0.40; 'ensure': 0.60; 'remove': 0.60; 'subject:Can': 0.60; 'hope': 0.61; 'gone': 0.61; 'mentioned': 0.61; 'browser': 0.61; 'viruses': 0.61; 'times': 0.62; 'day.': 0.63; 'internet': 0.71; 'discovered': 0.83; '1990s.': 0.84; 'html5,': 0.84; 'oscar': 0.84; 'hundred': 0.95; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+aB38+oQjLwkXgPQ5rXe3MCCHrEfd8Ki4MtH69nZ3wA=; b=X4zLy887yxPZePcJGKWphL+Vd4zedVdK5sItwEFOsJsGjKKra/z75+HdIw3weWlV7G u//aCILpyrUb7cFYk1t8Tk431svh/Ibu9bEbD8rU3ZOFgNDXHnFO5DTzY1Cjjkw9icgM kf0pQipYDtnSbrAiH7vDGyCAA17eNBqlkefogYNyQgxnO30mR4Rg399bSETJnPZHKuxY g1h/CnY3qMJyPPNooDNfJ3Ezs40/7fGNXYeA6IJ7cgjEisNjteMt+fUDxQZyRBpuPlyC CHOSRyaKZ20+2U2bQwtfNxgB5/g/A8wV0ah2dZXRssrK7IDYLXy0bGuCB/DtQVSRZlIT +Nug==
X-Received: by 10.220.1.203 with SMTP id 11mr21980364vcg.15.1378806336834; Tue, 10 Sep 2013 02:45:36 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <522e626c$0$29988$c3e8da3$5496439d@news.astraweb.com>
References: <31jXt.43447$Hr1.23199@en-nntp-03.dc1.easynews.com> <522e626c$0$29988$c3e8da3$5496439d@news.astraweb.com>
From: Oscar Benjamin <oscar.j.benjamin@gmail.com>
Date: Tue, 10 Sep 2013 10:45:16 +0100
Subject: Re: Can I trust downloading Python?
To: "Steven D'Aprano" <steve+comp.lang.python@pearwood.info>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Python List <python-list@python.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.205.1378806345.5461.python-list@python.org>
Lines: 28
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1378806345 news.xs4all.nl 15891 [2001:888:2000:d::a6]:42642
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:53911

On 10 September 2013 01:06, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>
> But really, we've learned *nothing* from the viruses of the 1990s.
> Remember when we used to talk about how crazy it was to download code
> from untrusted sites on the Internet and execute it? We're still doing
> it, a hundred times a day. Every time you go on the Internet, you
> download other people's code and execute it. Javascript, Flash, HTML5,
> PDF are all either executable, or they include executable components. Now
> they're *supposed* to be sandboxed, but we've gone from "don't execute
> untrusted code" to "let's hope my browser doesn't have any bugs that the
> untrusted code might exploit".

You could have also mentioned pip/PyPI in that. 'pip install X'
downloads and runs arbitrary code from a largely unmonitored and
uncontrolled code repository. The maintainers of PyPI can only try to
ensure that the original author of X would remain in control of what
happens and could remove a package X if it were discovered to be
malware. However they don't have anything like the resources to
monitor all the code coming in so it's essentially a system based on
trust in the authors where the only requirement to be an author is
that you have an email address. Occasionally I see the suggestion to
do 'sudo pip install X' which literally gives root permissions to
arbitrary code coming straight from the net.


Oscar