[Distutils] RE: FW: Extracting meta-data from distributions

Amos Latteier Amos@digicool.com
Sat, 5 Aug 2000 15:36:32 -0400


> > I've been thinking about how to query distutils packages. 
> One thing I'd
> > like to do is download archives from the net and 
> programmatically find
> > meta-data about the archive

>   $ ./setup.py --name --version --author-email --url
>   Distutils
>   0.9.1pre
>   gward@python.net
>   http://www.python.org/sigs/distutils-sig/
> 
> Clear enough?

Right. However I was looking for something I could do from Python, not
the command line. I'd like to import the distribution's setup module and
then interrogate it from Python to find out meta-data.
 
> >   * It seems that I must execute potentially untrusted code 
> to get the
> > meta-data. Is there anyway around this? I guess RExec is 
> the answer... 
> 
> Curses.  I knew someone would get paranoid about writing dist-bots at
> some point.  I have no answers to this... however, the above
> "informational" command shouldn't be doing any filesystem access apart
> from importing stuff, so it's probably "securable".  
> Obviously, general
> Distutils usage makes extensive use of the filesystem, so writing
> general dist-bots securely will probably be tricky.  Sigh.

To install a distribution obviously you must trust it. I'm imaging a
system that does stuff like crawl the web looking for Python
distributions, downloads them and parses them for meta-data. In this
case I don't trust the distribution enough to install it, but I do want
to find out what it has to say for itself.

Thanks for you help! I'll let you know if I come up with solutions to
these problems that I like better.

-Amos