Remote package/module imports through HTTP/S
Hello all! Today I opened an issue in bugs.python.org (http://bugs.python.org/issue31264) proposing a module I created for remote package/module imports through standard HTTP/S. The concept is that, if a directory is served through HTTP/S (the way SimpleHTTPServer module serves directories), a Finder/Loader object can fetch Python files from that directory using HTTP requests, and finally load them as modules (or packages) in the running namespace. The repo containing a primitive (but working) version of the Finder/Loader, also contains self explanatory examples (in the README.md): https://github.com/operatorequals/httpimport My proposal is that this module can become a core Python feature, providing a way to load modules even from Github.com repositories, without the need to "git clone - setup.py install" them. Other languages, like golang, provide this functionality from their early days (day one?). Python development can be greatly improved if a "try before pip installing" mechanism gets in place, as it will add a lot to the REPL nature of the testing/experimenting process. Thank you for your time, John Torakis, IT Security Researcher P.S: It is my first time in this mailing list and generally Python contribution. Please be tolerant!
Hi! On Wed, Aug 23, 2017 at 07:55:00PM +0300, John Torakis <john.torakis@gmail.com> wrote:
The issue is so big IMO it requires a PEP, not just an issue. Anyway I'm -1000 for reasons of security, connectivity (not all hosts are connected), traffic cost and speed.
AFAIK Go downloads modules at compile time, not run time. This is a major distiction with Python.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.torakis@gmail.com> wrote:
As a core feature? No no no no no no no no. Absolutely do NOT WANT THIS. This is a security bug magnet; can you imagine trying to ensure that malicious code is not executed, in an arbitrary execution context? As an explicitly-enabled feature, it's a lot less hairy than a permanently-active one (can you IMAGINE how terrifying that would be?), but even so, trying to prove that addRemoteRepo (not a PEP8-compliant name, btw) is getting the correct code is not going to be easy. You have to (a) drop HTTP altogether and mandate SSL and (b) be absolutely sure that your certificate chains are 100% dependable, which - as we've seen recently - is a nontrivial task. The easiest way to add remote code is pip. For most packages, that's what you want to be using: pip install requests will make "import requests" functional. I don't see pip mentioned anywhere in your README, but you do mention the testing of pull requests, so at very least, this wants some explanatory screed. But I'm not entirely sure I want to support this. You're explicitly talking about using this with the creation of backdoors... in what, exactly? What are you actually getting at here? ChrisA
Hi! On Wed, Aug 23, 2017 at 07:55:00PM +0300, John Torakis <john.torakis@gmail.com> wrote:
The issue is so big IMO it requires a PEP, not just an issue. Anyway I'm -1000 for reasons of security, connectivity (not all hosts are connected), traffic cost and speed.
AFAIK Go downloads modules at compile time, not run time. This is a major distiction with Python.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.torakis@gmail.com> wrote:
As a core feature? No no no no no no no no. Absolutely do NOT WANT THIS. This is a security bug magnet; can you imagine trying to ensure that malicious code is not executed, in an arbitrary execution context? As an explicitly-enabled feature, it's a lot less hairy than a permanently-active one (can you IMAGINE how terrifying that would be?), but even so, trying to prove that addRemoteRepo (not a PEP8-compliant name, btw) is getting the correct code is not going to be easy. You have to (a) drop HTTP altogether and mandate SSL and (b) be absolutely sure that your certificate chains are 100% dependable, which - as we've seen recently - is a nontrivial task. The easiest way to add remote code is pip. For most packages, that's what you want to be using: pip install requests will make "import requests" functional. I don't see pip mentioned anywhere in your README, but you do mention the testing of pull requests, so at very least, this wants some explanatory screed. But I'm not entirely sure I want to support this. You're explicitly talking about using this with the creation of backdoors... in what, exactly? What are you actually getting at here? ChrisA
participants (3)
-
Chris Angelico -
John Torakis -
Oleg Broytman