[Catalog-sig] UI for managing catalog

Amos Latteier amos@digicool.com
Thu, 16 Nov 2000 11:26:43 -0800

Andrew Kuchling wrote:
> On Thu, Nov 16, 2000 at 10:36:32AM -0800, Amos Latteier wrote:
> >I think so. In fact I already have rough code to do exactly this. It
> >downloads a distutils package, extracts the setup.py and parses it.
> And the hard part of this is processing the setup.py safely, not the
> downloading, which is just a matter of using urllib.urlopen().

Yes, it's the same old code. It is not safe. I had problems getting
Rexec work here, and punted on it.

This is a problem, regardless of whether the catalog fetches the
distribution, or someone uploads it. In either case the catalog must run
potentially untrusted code to extract meta-data.


Amos Latteier         mailto:amos@digicool.com
Digital Creations     http://www.digicool.com