[IPython-dev] %install_ext security and reproducibility
Wes Turner
wes.turner at gmail.com
Mon Apr 28 03:36:47 EDT 2014
Github Issue: https://github.com/ipython/ipython/issues/5742
Copied here:
This feature is a security / reproducibility risk:
**Security**
* https://pypi.python.org/pypi/backports.ssl_match_hostname
* `CWE-494: Download of Code Without Integrity Check`:
https://cwe.mitre.org/top25/#CWE-494
* `CWE-250: Execution with Unnecessary Privileges`
https://cwe.mitre.org/top25/#CWE-250
* https://twitter.com/westurner/status/460229226650554370
**Reproducibility**
* IPython will present an error message if script calls a magic command
that is not installed.
* Extensions can modify core functionality.
* One could grep for `%load_extension`, but that only gives the filenames
**One Solution**
Python packaging is designed to address this type of problem; with
checksums and dependency satisfaction.
Code installation that does not rely upon community-reviewed packaging
infrastructure is a risk.
This was rejected because it relies on setuptools:
https://github.com/ipython/ipython/pull/4673
...
Github Issue: https://github.com/ipython/ipython/issues/5742
--
Wes Turner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140428/ab057ccd/attachment.html>
More information about the IPython-dev
mailing list