On Apr 22, 2008, at 12:19 PM, Phillip J. Eby wrote:
At 11:49 AM 4/22/2008 -0400, Pete wrote:
On Apr 21, 2008, at 6:01 PM, Phillip J. Eby wrote:
At 04:23 PM 4/21/2008 -0400, Pete wrote:
I'm not looking for explicit testing support from setuptools for testing here - I'm just asking that a bug that breaks a 3rd party testing package be fixed.
You haven't stated anything yet that sounds like an actual bug to me.
What about the dangerous & broken complaint?
Which I don't yet understand, let alone agree with. Simply asserting over and over that it's bad and dangerous doesn't help.
This bit, from my email on April 21, 2008 4:23:09; Ben Finney's point about tests being silently skipped is also valid, and was how I originally came across this problem. In any event, a motivating example: Some non-script modules are intended to be executable - think doctest, or anything else that does a `if __name__ == __main__:`. As a developer, I purposely set such modules executable (including setting svn:executable) and leave the others as r-w. And there lies the danger. The executable bit is an indication that a file is intended to be executable. Unix-like systems will treat running a file without a leading #! as a shell script. This can cause arbitrary commands to be executed - for example, this is valid python: rm -f /usr Perhaps contrived, but should demonstrate the point. As a more realistic example, `import` is an imagelib command that takes over the X cursor (for taking a screenshot IIRC).
One thing that you particularly seem to be missing is that the distutils also ignore a Python module's source permissions -- whether they come from a tarball or not.
Ok, but AFAIK distutils doesn't then +x everything, which is the problem here. -- Pete pfein@pobox.com