[Distutils] Setuptools Bug: all files installed +x

Pete pfein at pobox.com
Mon Apr 21 22:23:09 CEST 2008

On Apr 21, 2008, at 3:42 PM, Phillip J. Eby wrote:

> At 03:24 PM 4/21/2008 -0400, Pete wrote:
>> On both linux & OS X, Setuptools installs all .py/.pyc files with  
>> mode
>> a+x (executable for all users).  This occurs regardless of original
>> the permissions in the source tarball.  Doing so breaks nosetests,
>> which by default refuses to import executable files for test- 
>> discovery
>> purposes as a safety measure.
>> This behavior is broken & dangerous.
> I don't see how it's either one.  An explanation would be helpful.

It's broken in that the source tarball includes per-file permissions  
and setuptools is blindly overriding them. I realize that's simply  
restating my original complaint, but seeing as setuptools must be  
*explicitly* changing the permissions on the installed files, perhaps  
the onus is on you to explain why that's a good idea in the first place.

In any event, a motivating example:

Some non-script modules are intended to be executable - think doctest,  
or anything else that does a `if __name__ == __main__:`.  As a  
developer, I purposely set such modules executable (including setting  
svn:executable) and leave the others as r-w.

And there lies the danger.  The executable bit is an indication that a  
file is intended to be executable.  Unix-like systems will treat  
running a file without a leading #! as a shell script.  This can cause  
arbitrary commands to be executed - for example, this is valid python:

rm -f /usr

Perhaps contrived, but should demonstrate the point.  As a more  
realistic example, `import` is an imagelib command that takes over the  
X cursor (for taking a screenshot IIRC).

> Note, by the way, that setuptools is not particularly designed to  
> support running tests against an installed package; I myself have  
> stopped distributing tests in installed packages and require a  
> source installation (e.g. using easy_install --editable) to run tests.

I'm not looking for explicit testing support from setuptools for  
testing here - I'm just asking that a bug that breaks a 3rd party  
testing package be fixed.

pfein at pobox.com

More information about the Distutils-SIG mailing list