[IPython-dev] %install_ext security and reproducibility

Wes Turner wes.turner at gmail.com
Mon Apr 28 03:36:47 EDT 2014

Github Issue: https://github.com/ipython/ipython/issues/5742

Copied here:

This feature is a security / reproducibility risk:


* https://pypi.python.org/pypi/backports.ssl_match_hostname
* `CWE-494: Download of Code Without Integrity Check`:
* `CWE-250: Execution with Unnecessary Privileges`
* https://twitter.com/westurner/status/460229226650554370


* IPython will present an error message if script calls a magic command
that is not installed.
* Extensions can modify core functionality.
* One could grep for `%load_extension`, but that only gives the filenames

**One Solution**

Python packaging is designed to address this type of problem; with
checksums and dependency satisfaction.

Code installation that does not rely upon community-reviewed packaging
infrastructure is a risk.

This was rejected because it relies on setuptools:


Github Issue: https://github.com/ipython/ipython/issues/5742

Wes Turner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140428/ab057ccd/attachment.html>

More information about the IPython-dev mailing list