Oct. 28, 2009
12:06 a.m.
On Oct 27, 2009, at 7:41 PM, David Lyon wrote:
I'm not sure about that Tarek..
An .exe installer as a perfect binary format for python packages?
Are you serious?
That is the biggest security threat I can think of, asking python users to run unverified, unsigned, un-trusted executable files on their systems.
easy_install, pip, and indeed all of PyPI is basically a system for executing untrusted code, usually as a system administrator, straight off of what is effectively a wiki. If you're concerned about security and distutils, there is a _lot_ of work to do. There is no particular additional danger in executing a .exe rather than a setup.py.