[Python-Dev] PEP 370, open questions
Jean-Paul Calderone
exarkun at divmod.com
Thu Jan 17 12:35:37 CET 2008
On Thu, 17 Jan 2008 08:55:51 +0100, Christian Heimes <lists at cheimes.de> wrote:
>
>* Should the site package directory also be ignored if process
> gid != effective gid?
If it should, I think the PEP should explain the attack this defends
against in more detail. The current brief mention of "security issues"
is a bit hand-wavey. For example, what is the relationship between
security, this feature, and the PYTHONPATH environment variable? Isn't
the attack of putting malicious code into a user site-packages directory
the same as the attack of putting it into a directory in PYTHONPATH?
Jean-Paul
More information about the Python-Dev
mailing list