Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #53911

Re: Can I trust downloading Python?

References <31jXt.43447$Hr1.23199@en-nntp-03.dc1.easynews.com> <522e626c$0$29988$c3e8da3$5496439d@news.astraweb.com>
From Oscar Benjamin <oscar.j.benjamin@gmail.com>
Date 2013-09-10 10:45 +0100
Subject Re: Can I trust downloading Python?
Newsgroups comp.lang.python
Message-ID <mailman.205.1378806345.5461.python-list@python.org> (permalink)

Show all headers | View raw

On 10 September 2013 01:06, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>
> But really, we've learned *nothing* from the viruses of the 1990s.
> Remember when we used to talk about how crazy it was to download code
> from untrusted sites on the Internet and execute it? We're still doing
> it, a hundred times a day. Every time you go on the Internet, you
> download other people's code and execute it. Javascript, Flash, HTML5,
> PDF are all either executable, or they include executable components. Now
> they're *supposed* to be sandboxed, but we've gone from "don't execute
> untrusted code" to "let's hope my browser doesn't have any bugs that the
> untrusted code might exploit".

You could have also mentioned pip/PyPI in that. 'pip install X'
downloads and runs arbitrary code from a largely unmonitored and
uncontrolled code repository. The maintainers of PyPI can only try to
ensure that the original author of X would remain in control of what
happens and could remove a package X if it were discovered to be
malware. However they don't have anything like the resources to
monitor all the code coming in so it's essentially a system based on
trust in the authors where the only requirement to be an author is
that you have an email address. Occasionally I see the suggestion to
do 'sudo pip install X' which literally gives root permissions to
arbitrary code coming straight from the net.


Oscar

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: Can I trust downloading Python? Fattburger <none@none.com> - 2013-09-09 12:19 +0000
  Re: Can I trust downloading Python? Tony the Tiger <tony@tiger.invalid> - 2013-09-09 14:41 -0500
  Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 00:06 +0000
    Re: Can I trust downloading Python? Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-09-10 10:45 +0100
      Re: Can I trust downloading Python? Tom P <werotizy@freent.dd> - 2013-09-10 12:26 +0200
      Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 14:40 +0000
    Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-10 20:05 +1000
    Re: Can I trust downloading Python? Wolfgang Keller <feliphil@gmx.net> - 2013-09-10 18:20 +0200

csiph-web