[Python-Dev] PEP 3147, __pycache__ directories and umask

Antoine Pitrou solipsis at pitrou.net
Tue Mar 23 01:05:11 CET 2010


Greg Ewing <greg.ewing <at> canterbury.ac.nz> writes:
> 
> Doesn't the existing .pyc mechanism have the same problem? Seems
> to me it's just as insecure to allow the Apache user to create
> .pyc files, since an attacker could overwrite them with arbitrary
> bytecode.

The problem is that you can't delete the __pycache__ directory if it doesn't
have the right ownership and if it's non-empty.
This problem doesn't exist with a pyc file situated in a directory you own.

> > Actually, __pycache__ creation doesn't have to be part of the import
mechanism.
> > It can be part of distutils instead (or whatever third-party tool
> 
> What about development,

The main point of the __pycache__ proposal is to solve the needs of
Ubuntu/Debian packagers. If you are developing (rather than deploying or
building packages), you shouldn't have these needs AFAICT.

> or if a user installs by dragging into
> site-packages instead of using an installer?

Well... do people actually do this?

"python setup.py install" is simpler than finding the right place to drag your
package to, and doing the dragging. It also gives you metadata for free. And
there's less risk of screwing up.




More information about the Python-Dev mailing list