[Distutils] RE: FW: Extracting meta-data from distributions
Sat, 5 Aug 2000 15:36:32 -0400
> > I've been thinking about how to query distutils packages.
> One thing I'd
> > like to do is download archives from the net and
> programmatically find
> > meta-data about the archive
> $ ./setup.py --name --version --author-email --url
> Clear enough?
Right. However I was looking for something I could do from Python, not
the command line. I'd like to import the distribution's setup module and
then interrogate it from Python to find out meta-data.
> > * It seems that I must execute potentially untrusted code
> to get the
> > meta-data. Is there anyway around this? I guess RExec is
> the answer...
> Curses. I knew someone would get paranoid about writing dist-bots at
> some point. I have no answers to this... however, the above
> "informational" command shouldn't be doing any filesystem access apart
> from importing stuff, so it's probably "securable".
> Obviously, general
> Distutils usage makes extensive use of the filesystem, so writing
> general dist-bots securely will probably be tricky. Sigh.
To install a distribution obviously you must trust it. I'm imaging a
system that does stuff like crawl the web looking for Python
distributions, downloads them and parses them for meta-data. In this
case I don't trust the distribution enough to install it, but I do want
to find out what it has to say for itself.
Thanks for you help! I'll let you know if I come up with solutions to
these problems that I like better.