On Apr 21, 2008, at 3:42 PM, Phillip J. Eby wrote:
At 03:24 PM 4/21/2008 -0400, Pete wrote:
On both linux & OS X, Setuptools installs all .py/.pyc files with mode a+x (executable for all users). This occurs regardless of original the permissions in the source tarball. Doing so breaks nosetests, which by default refuses to import executable files for test- discovery purposes as a safety measure.
This behavior is broken & dangerous.
I don't see how it's either one. An explanation would be helpful.
It's broken in that the source tarball includes per-file permissions and setuptools is blindly overriding them. I realize that's simply restating my original complaint, but seeing as setuptools must be *explicitly* changing the permissions on the installed files, perhaps the onus is on you to explain why that's a good idea in the first place. In any event, a motivating example: Some non-script modules are intended to be executable - think doctest, or anything else that does a `if __name__ == __main__:`. As a developer, I purposely set such modules executable (including setting svn:executable) and leave the others as r-w. And there lies the danger. The executable bit is an indication that a file is intended to be executable. Unix-like systems will treat running a file without a leading #! as a shell script. This can cause arbitrary commands to be executed - for example, this is valid python: rm -f /usr Perhaps contrived, but should demonstrate the point. As a more realistic example, `import` is an imagelib command that takes over the X cursor (for taking a screenshot IIRC).
Note, by the way, that setuptools is not particularly designed to support running tests against an installed package; I myself have stopped distributing tests in installed packages and require a source installation (e.g. using easy_install --editable) to run tests.
I'm not looking for explicit testing support from setuptools for testing here - I'm just asking that a bug that breaks a 3rd party testing package be fixed. -- Pete pfein@pobox.com