Code Repositories was( RE: Proposal: add vector arithmetic to array module)

Paul Rubin phr-n2001 at nightsong.com
Tue Sep 25 21:18:33 EDT 2001 

"Mike C. Fletcher" <mcfletch at home.com> writes:
> The problem with such a centralised system is that you need people who care
> enough to do such audits at the core of the project.  I, for instance, have
> 0 interest in doing code audits for free, and little real incentive to care
> whether one has been done on any given package (the work of vetting, for
> instance, wxPython would be huge, and basically I trust that the various
> people on the project keep each other honest and watch their checkins).

If the vetting is really careful, like OpenBSD's vetting, involving
searching for all kinds of devious attacks that the author missed,
then it's a lot of work.  Even still, there are people who like to do
that--that's how OpenBSD is able to exist.  

For something like a Python distribution the expected vetting level
would just mean the distribution maintainer has looked at the source
code and not found any intentional logic bombs, back doors, etc., and
that any included precompiled binaries have been built from sources by
the distribution maintainer rather than by the submitter.  I think it
would be irresponsible for a distributor to do anything less.  That
level of source code examination is about what I do whenever I
download something from a random web site.  It's not such a big deal.
I take it for granted that official Python distributions have already
been thorugh something like that--Guido, Tim, Alex, etc. aren't going
to take someone's weird patch and install it without first looking at it.

It's possible that a malicious submitter could get something devious
past an inspection, but there would be fallout if that happened.

> Anyway, my arguing about such details is just hot air :) until there's a
> concrete proposal and people willing to step up an build the thing, run the
> thing, host the thing, etceteras.  Maybe some day I'll get bored and build
> one, but for now I have plenty of other projects to get done and too little
> time to finish them.

I'm willing to implement signatures in .pyz files or something similar.
On the technical side, I don't think much is needed besides that.

More information about the Python-list mailing list