[Catalog-sig] UI for managing catalog
Thu, 16 Nov 2000 11:26:43 -0800
Andrew Kuchling wrote:
> On Thu, Nov 16, 2000 at 10:36:32AM -0800, Amos Latteier wrote:
> >I think so. In fact I already have rough code to do exactly this. It
> >downloads a distutils package, extracts the setup.py and parses it.
> And the hard part of this is processing the setup.py safely, not the
> downloading, which is just a matter of using urllib.urlopen().
Yes, it's the same old code. It is not safe. I had problems getting
Rexec work here, and punted on it.
This is a problem, regardless of whether the catalog fetches the
distribution, or someone uploads it. In either case the catalog must run
potentially untrusted code to extract meta-data.
Amos Latteier mailto:firstname.lastname@example.org
Digital Creations http://www.digicool.com