[Catalog-sig] UI for managing catalog
Fri, 17 Nov 2000 15:29:49 -0500
On Thu, 16 Nov 2000 20:56:55 +0100
"Martin v. Loewis" <email@example.com>
> > Yes, it's the same old code. It is not safe. I had
> problems getting
> > Rexec work here, and punted on it.
> Can you elaborate on the problems, please? Is there
> something that
> intrinsically can't work, or did you just not get through
> with it?
The problem is that you need to run python code (setup.py)
meta-data from a distutils distribution. This is part of the
design, and this has been discussed on the distutils list.
In the case
of the catalog, you may not trust the code that has either
uploaded, or that the catalog has fetched from a URL. My
that you could use rexec to execute untrusted setup.py
I don't know much about rexec and was never able to get it
right with sample setup.py files. No doubt someone else
If it turns out the for some reason rexec can't provide a
this problem, I see some alternatives. We could find someway
the setup.py file, so a restricted execution environment
necessary. Or we could require that meta-data come from
(such as manually filling out a web form). Or we could
distutils to write meta-data to a text file in a simple
format when it
builds a distribution.