[Python-Dev] PEP 476: Enabling certificate validation by default!
Donald Stufft
donald at stufft.io
Mon Sep 1 19:08:11 CEST 2014
> On Sep 1, 2014, at 1:01 PM, Christian Heimes <christian at python.org> wrote:
>
> On 01.09.2014 17:35, Nick Coghlan wrote:
>> Oh, now I get what you mean - yes, sitecustomize already poses the same
>> kind of problem as the proposed sslcustomize (hence the existence of the
>> related command line options).
>
> If an attacker is able to place a module like sitecustomize.py in an
> import directory or any .pth file in a site-packages directory than this
> Python installation is compromised. .pth files are insidious because
> they are always loaded and their code is always executed. I don't see
> how sslcustomize is going to make a difference here.
>
Right, this is the point I was trying to make. If you’ve installed a malicious
package it’s game over. There’s nothing Python can do to help you.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140901/7b495c49/attachment.html>
More information about the Python-Dev
mailing list