[Python-ideas] Security: remove "." from sys.path?

[Chris Angelico]

On Sat, Jun 3, 2017 at 8:36 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote:
>
> [...]
>> > I expect that moving '' to the end of sys.path will be a less disruptive
>> > change than removing it.
>>
>> This is true. However, anything that depends on the current behaviour
>> (intentionally or otherwise) would be just as broken as if it were
>> removed,
>
> I don't think we've agreed that the current behaviour is broken. I
> think we agree that:
>
> - it is unfortunate when people accidentally shadow the stdlib;
>
> - it is a feature to be able to intentionally shadow the stdlib.
>
> I believe that it is also a feature for scripts to be able to depend on
> resources in their directory, including other modules. That's the
> current behaviour. I don't know if you agree, but if you want to argue
> that's "broken", you should do so explicitly.

No, I'm not arguing that that behaviour is broken. Unideal, perhaps,
but definitely not broken. What I said was that an application that
depends on "import secrets" picking up secrets.py in the current
directory is just as broken if '' is moved to the end as if it's
removed altogether. By moving it to the end, we increase the chances
that a minor version will break someone's code; by removing it
altogether and forcing people to write "from . import secrets" (either
with an implicit package or making people explicitly create
__init__.py), we also force the issue to be fixed earlier. Instead of
a potential future breakage, we have an immediate breakage with an
easy and obvious solution.

That's not to say that I don't think moving '' to the end would be an
advantage. I just think that, if we're proposing to change the current
behaviour and thus potentially break people's current code, we should
fix the problem completely rather than merely reducing it.

ChrisA