[Distutils] Removal of wheels deleting more than the data files
Sylvain Corlay
sylvain.corlay at gmail.com
Mon Jun 20 12:56:06 EDT 2016
FYI, this could probably be a security issue with wheel: a wheel package
that has an empty list of data files in any important subdirectory of
sys.prefix can delete all the content of that directory upon uninstall or
update.
Thanks,
Sylvain
On Wed, Jun 15, 2016 at 11:30 AM, Sylvain Corlay <sylvain.corlay at gmail.com>
wrote:
> I discovered a quite serious bug in wheels (
> http://bugs.python.org/issue27317)
>
> When specifying an empty list for the list of data_files in a given
> directory, the entire directory is being deleted on uninstall of the wheel,
> even if it contained other resources from other pacakges.
>
> Example:
>
> from setuptools import setup
>> setup(name='remover', data_files=[('share/plugins', [])])
>
>
> The expected behavior is that only the specified list of files is removed,
> (which is empty in that case).
>
> When the list is not empty, the behavior is the one expected. For example,
>
> from setuptools import setup
>> setup(name='remover', data_files=[('share/plugins', ['foobar.json'])])
>
>
> will only remove `foobar.json` on uninstall and the `plugins` directory
> will not be removed if it is not empty.
>
> Thanks,
>
> Sylvain
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160620/cdbbdae2/attachment.html>
More information about the Distutils-SIG
mailing list