[Python-Dev] Keyword meanings [was: Accept just PEP-0426]

Donald Stufft donald.stufft at gmail.com
Thu Dec 6 00:30:41 CET 2012

On Wednesday, December 5, 2012 at 6:18 PM, Barry Warsaw wrote:
> On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote:
> > If you're installing B you've prescribed trust to that author. If you don't
> > trust the author then why are you installing (and then executing) code
> > they wrote. 
> > 
> What you installed Z, but B got installed because it was a dependency three
> levels down?

Sure, you granted trust to Z, Z granted trust to Y, and Y granted trust to B. Like
in SSL certificates there was a chain of trust. If you don't trust Z then don't install
their package. 
> > Very convenient to declare that one of the major use cases for
> > Obsoletes over Obsoleted-By is not valid because of your own
> > personal opinions. Like I said above, if you're installing a package
> > that someone has uploaded you've implicitly granted them trust. There
> > is far worse things that a bad Python citizen can do during, and after
> > and install that what is allowed by Obsoletes.
> > 
> Well, basically never installing anything from PyPI except into a virtualenv
> is probably a good recommendation (maybe even now).

A virtualenv only protects you from well behaved packages. There is no way
to prevent a package author from doing very nasty things to you if they wish.
Providing more power in the metadata doesn't make this situation better or
worse, it just makes more standard paths in the cases where you do need
to do it.
> > End systems often times do not have a singular organization controlling
> > every package in their system. The best example is Ubuntu and their PPA's. 
> > 
> Well, PPAs are awesome, but have known and well-publicized trust issues. I
> wouldn't enable a PPA into my running system without really knowing who the
> owner is and why I'm using their PPA. Or doing a lot of testing in a chroot
> first, and probably pinning the package set to just the one(s) from the PPA I
> care about.

Basically the same thing can be said about packages on PyPI. All the same
trust issues exist there. Simply installing a Python package is already granting
far more trust than Obsoletes requires since installing a package is executed
someone else's python code on your system. Even if you remove setup.py you're
still going to be executing their code on your system. If you do not trust the
author of the packages you are installing, you do not install their packages.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20121205/bf8de20b/attachment.html>

More information about the Python-Dev mailing list