[Python-ideas] Remote package/module imports through HTTP/S

Chris Angelico rosuav at gmail.com
Wed Aug 23 13:17:17 EDT 2017 

On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.torakis at gmail.com> wrote:
> Hello all!
>
> Today I opened an issue in bugs.python.org
> (http://bugs.python.org/issue31264) proposing a module I created for
> remote package/module imports through standard HTTP/S.
>
> The concept is that, if a directory is served through HTTP/S (the way
> SimpleHTTPServer module serves directories), a Finder/Loader object can
> fetch Python files from that directory using HTTP requests, and finally
> load them as modules (or packages) in the running namespace.
>
> The repo containing a primitive (but working) version of the
> Finder/Loader, also contains self explanatory examples (in the README.md):
>
> https://github.com/operatorequals/httpimport
>
>
> My proposal is that this module can become a core Python feature,
> providing a way to load modules even from Github.com repositories,
> without the need to "git clone - setup.py install" them.
>
>
> Other languages, like golang, provide this functionality from their
> early days (day one?). Python development can be greatly improved if a
> "try before pip installing" mechanism gets in place, as it will add a
> lot to the REPL nature of the testing/experimenting process.

As a core feature? No no no no no no no no. Absolutely do NOT WANT
THIS. This is a security bug magnet; can you imagine trying to ensure
that malicious code is not executed, in an arbitrary execution
context? As an explicitly-enabled feature, it's a lot less hairy than
a permanently-active one (can you IMAGINE how terrifying that would
be?), but even so, trying to prove that addRemoteRepo (not a
PEP8-compliant name, btw) is getting the correct code is not going to
be easy. You have to (a) drop HTTP altogether and mandate SSL and (b)
be absolutely sure that your certificate chains are 100% dependable,
which - as we've seen recently - is a nontrivial task.

The easiest way to add remote code is pip. For most packages, that's
what you want to be using:

pip install requests

will make "import requests" functional. I don't see pip mentioned
anywhere in your README, but you do mention the testing of pull
requests, so at very least, this wants some explanatory screed.

But I'm not entirely sure I want to support this. You're explicitly
talking about using this with the creation of backdoors... in what,
exactly? What are you actually getting at here?

ChrisA

More information about the Python-ideas mailing list