[Distutils] Setuptools Bug: all files installed +x
pfein at pobox.com
Mon Apr 21 22:23:09 CEST 2008
On Apr 21, 2008, at 3:42 PM, Phillip J. Eby wrote:
> At 03:24 PM 4/21/2008 -0400, Pete wrote:
>> On both linux & OS X, Setuptools installs all .py/.pyc files with
>> a+x (executable for all users). This occurs regardless of original
>> the permissions in the source tarball. Doing so breaks nosetests,
>> which by default refuses to import executable files for test-
>> purposes as a safety measure.
>> This behavior is broken & dangerous.
> I don't see how it's either one. An explanation would be helpful.
It's broken in that the source tarball includes per-file permissions
and setuptools is blindly overriding them. I realize that's simply
restating my original complaint, but seeing as setuptools must be
*explicitly* changing the permissions on the installed files, perhaps
the onus is on you to explain why that's a good idea in the first place.
In any event, a motivating example:
Some non-script modules are intended to be executable - think doctest,
or anything else that does a `if __name__ == __main__:`. As a
developer, I purposely set such modules executable (including setting
svn:executable) and leave the others as r-w.
And there lies the danger. The executable bit is an indication that a
file is intended to be executable. Unix-like systems will treat
running a file without a leading #! as a shell script. This can cause
arbitrary commands to be executed - for example, this is valid python:
rm -f /usr
Perhaps contrived, but should demonstrate the point. As a more
realistic example, `import` is an imagelib command that takes over the
X cursor (for taking a screenshot IIRC).
> Note, by the way, that setuptools is not particularly designed to
> support running tests against an installed package; I myself have
> stopped distributing tests in installed packages and require a
> source installation (e.g. using easy_install --editable) to run tests.
I'm not looking for explicit testing support from setuptools for
testing here - I'm just asking that a bug that breaks a 3rd party
testing package be fixed.
pfein at pobox.com
More information about the Distutils-SIG