<div dir="ltr"><div>Github Issue: <a href="https://github.com/ipython/ipython/issues/5742">https://github.com/ipython/ipython/issues/5742</a><br></div><div><br></div><div>Copied here:</div><div><br></div><div><div>This feature is a security / reproducibility risk:</div>
<div><br></div><div>**Security**</div><div><br></div><div>* <a href="https://pypi.python.org/pypi/backports.ssl_match_hostname">https://pypi.python.org/pypi/backports.ssl_match_hostname</a></div><div>* `CWE-494: Download of Code Without Integrity Check`: <a href="https://cwe.mitre.org/top25/#CWE-494">https://cwe.mitre.org/top25/#CWE-494</a></div>
<div>* `CWE-250: Execution with Unnecessary Privileges` <a href="https://cwe.mitre.org/top25/#CWE-250">https://cwe.mitre.org/top25/#CWE-250</a></div><div>* <a href="https://twitter.com/westurner/status/460229226650554370">https://twitter.com/westurner/status/460229226650554370</a></div>
<div><br></div><div>**Reproducibility**</div><div><br></div><div>* IPython will present an error message if script calls a magic command that is not installed.</div><div>* Extensions can modify core functionality.</div><div>
* One could grep for `%load_extension`, but that only gives the filenames</div><div><br></div><div><br></div><div>**One Solution**</div><div><br></div><div>Python packaging is designed to address this type of problem; with checksums and dependency satisfaction.</div>
<div><br></div><div>Code installation that does not rely upon community-reviewed packaging infrastructure is a risk.</div><div><br></div><div>This was rejected because it relies on setuptools: <a href="https://github.com/ipython/ipython/pull/4673">https://github.com/ipython/ipython/pull/4673</a></div>
</div><div><br></div><div>...</div><div><br></div><div>Github Issue: <a href="https://github.com/ipython/ipython/issues/5742">https://github.com/ipython/ipython/issues/5742</a><br></div><br clear="all"><div>-- <br>Wes Turner</div>

</div>