[Catalog-sig] UI for managing catalog
Amos Latteier
amos@digicool.com
Thu, 16 Nov 2000 11:26:43 -0800
Andrew Kuchling wrote:
>
> On Thu, Nov 16, 2000 at 10:36:32AM -0800, Amos Latteier wrote:
> >I think so. In fact I already have rough code to do exactly this. It
> >downloads a distutils package, extracts the setup.py and parses it.
>
> And the hard part of this is processing the setup.py safely, not the
> downloading, which is just a matter of using urllib.urlopen().
Yes, it's the same old code. It is not safe. I had problems getting
Rexec work here, and punted on it.
This is a problem, regardless of whether the catalog fetches the
distribution, or someone uploads it. In either case the catalog must run
potentially untrusted code to extract meta-data.
-Amos
--
Amos Latteier mailto:amos@digicool.com
Digital Creations http://www.digicool.com