[Python-ideas] Remote package/module imports through HTTP/S
Bruce Leban
bruce at leban.us
Wed Aug 23 14:04:41 EDT 2017
On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.torakis at gmail.com>
wrote:
>
> Github can be trusted 100% percent for example.
This isn't even remotely close to true. While I'd agree with the statement
that the SSL cert on github is reasonably trustworthy, the *content* on
github is NOT trustworthy and that's where the security risk is.
I agree that this is a useful feature and there is no way it should be on
by default. The right way IMHO to do this is to have a command line option
something like this:
python --http-import somelib=https://github.com/someuser/somelib
which then redefines the import somelib command to import from that source.
Along with your scenario, it allows people, for example, to replace a
library with a different version without modifying source or installing a
different version. That's pretty useful.
--- Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170823/2f18ea92/attachment-0001.html>
More information about the Python-ideas
mailing list