[Python-ideas] Security: remove "." from sys.path?
Victor Stinner
victor.stinner at gmail.com
Mon Jun 5 06:55:17 EDT 2017
Le 5 juin 2017 00:52, "Guido van Rossum" <guido at python.org> a écrit :
I really don't want people to start using the "from . import foo" idiom for
their first steps into programming. It seems a reasonable "defensive
programming" maneuver to put in scripts and apps made by professional
Python programmers for surprise-free wide distribution, but (like many of
those) should not be part of the learning experience.
A minimum change would be to add the (empty string) at the end of sys.path
in Python 3.7 rather than adding it at the start.
It would increase Python usability since it avoids the "random has no
randint() function" caused by a random.py file in the script directory. In
my experience, this bug hits every developers starting to learn Python and
it can be very strange when you get the error when trying to run IDLE.
I don't think that a new command line parameter is required. It's already
easy enough to prepend something to sys.path directly in the script. And I
consider that it's a very rare use case.
Victor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170605/36ae1c25/attachment-0001.html>
More information about the Python-ideas
mailing list