[Distutils] Autobuild packages using snakebite
David Cournapeau
david at ar.media.kyoto-u.ac.jp
Fri Jun 19 07:17:34 CEST 2009
Stefan Behnel wrote:
> Leonardo Santagada wrote:
>
>> The biggest problem I see is security, but if people are really
>> interested in this we could at least try it no?
>>
>
> Security certainly is a major issue here. Anyone can upload packages to
> PyPI, so you can run arbitrary code on tons of machines, just by pushing
> some well-forged setup.py script there.
>
Since it would be inside a VM, the major risk would be running some kind
of malicious server of some kind inside the setup script - but it should
be relatively easy to make sure the vm prevents that from happening ?
It is a major issue, but I would guess it has been solved by the build
service system (which is really great BTW, I think it is a very
significant advancement, under-rated project for open source software
deployment).
cheers,
David
More information about the Distutils-SIG
mailing list