[Python-ideas] Remote package/module imports through HTTP/S
John Torakis
john.torakis at gmail.com
Wed Aug 23 14:15:29 EDT 2017
On 23/08/2017 21:11, Chris Angelico wrote:
> On Thu, Aug 24, 2017 at 4:04 AM, Bruce Leban <bruce at leban.us> wrote:
>> On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.torakis at gmail.com>
>> wrote:
>>>
>>> Github can be trusted 100% percent for example.
>>
>> This isn't even remotely close to true. While I'd agree with the statement
>> that the SSL cert on github is reasonably trustworthy, the *content* on
>> github is NOT trustworthy and that's where the security risk is.
>>
>> I agree that this is a useful feature and there is no way it should be on by
>> default. The right way IMHO to do this is to have a command line option
>> something like this:
>>
>> python --http-import somelib=https://github.com/someuser/somelib
> If you read his README, it's pretty explicit about URLs; the risk is
> that "https://github.com/someuser/somelib" can be intercepted, not
> that "someuser" is malicious. If you're worried about the latter,
> don't use httpimport.
Again, if https://github.com/someuser/somelib can be intercepted,
https://pypi.python.org/pypi can too.
If HTTPS is intercepted so easily (when not used from browsers) we are
f**ed...
>
> ChrisA
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
More information about the Python-ideas
mailing list