Can I trust downloading Python?

Steven D'Aprano steve+comp.lang.python at pearwood.info
Tue Sep 10 10:40:37 EDT 2013


On Tue, 10 Sep 2013 10:45:16 +0100, Oscar Benjamin wrote:

> On 10 September 2013 01:06, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:

[rant about executing code over the internet]
 
> You could have also mentioned pip/PyPI in that. 'pip install X'
> downloads and runs arbitrary code from a largely unmonitored and
> uncontrolled code repository. The maintainers of PyPI can only try to
> ensure that the original author of X would remain in control of what
> happens and could remove a package X if it were discovered to be
> malware. However they don't have anything like the resources to monitor
> all the code coming in so it's essentially a system based on trust in
> the authors where the only requirement to be an author is that you have
> an email address. Occasionally I see the suggestion to do 'sudo pip
> install X' which literally gives root permissions to arbitrary code
> coming straight from the net.

Sure, but there's a significant difference here.

If I were to run "pip install foo", I'm explicitly choosing to trust that 
code. If I don't trust it, I simply don't run pip install. Merely going 
to the PyPI website for package "foo" doesn't run foo, nor does viewing 
the code, or even running "hg update" (or git) on the repository. By 
default, foo doesn't run unless I explicitly run it. pip is *fail safe* 
-- if it fails, or if I don't run it, nothing gets executed.

In contrast, if I go to foo.com, the default is "everything will run". I 
have *no idea* what's going to happen until I get there. The default is 
"run anything, unless explicitly turned off" instead of "don't run, 
unless explicitly turned on". Even if I run NoScript in my browser, or 
turn off Javascript in my browser, I'm hoping that there isn't some 
executable protocol that NoScript doesn't block, or only partially blocks 
("What do you mean web fonts contain executable code?"), or maybe I 
turned Javascript back on so some other site works and forgot to turn it 
off again. Our browsers are fail unsafe -- if they fail, they can run 
untrusted code.

You can't even say "well if you don't trust foo.com, don't go there" 
because while foo.com itself might be trusted, they're probably selling 
advertising, and the advert itself is executable and could come from 
anyone, anywhere.

Imagine that every time you walked into a shop, the shop could instantly, 
irreversibly and silently deduct whatever amount of money from your 
credit card it liked, unless you remembered to put your credit card 
inside a metal wallet before entering the store. But most stores won't 
let you in if you do, or at least the shopping experience is painful. So 
we just hope that the store won't take advantage of that ability and rob 
us blind. That's not too far from the Internet security model.



-- 
Steven



More information about the Python-list mailing list