I've been thinking about how to query distutils packages. One thing I'd like to do is download archives from the net and programmatically find meta-data about the archive
$ ./setup.py --name --version --author-email --url Distutils 0.9.1pre gward@python.net http://www.python.org/sigs/distutils-sig/
Clear enough?
Right. However I was looking for something I could do from Python, not the command line. I'd like to import the distribution's setup module and then interrogate it from Python to find out meta-data.
* It seems that I must execute potentially untrusted code to get the meta-data. Is there anyway around this? I guess RExec is the answer...
Curses. I knew someone would get paranoid about writing dist-bots at some point. I have no answers to this... however, the above "informational" command shouldn't be doing any filesystem access apart from importing stuff, so it's probably "securable". Obviously, general Distutils usage makes extensive use of the filesystem, so writing general dist-bots securely will probably be tricky. Sigh.
To install a distribution obviously you must trust it. I'm imaging a system that does stuff like crawl the web looking for Python distributions, downloads them and parses them for meta-data. In this case I don't trust the distribution enough to install it, but I do want to find out what it has to say for itself. Thanks for you help! I'll let you know if I come up with solutions to these problems that I like better. -Amos
participants (2)
-
Amos Latteier
-
Greg Ward