[Catalog-sig] UI for managing catalog

[Amos Latteier]

On Thu, 16 Nov 2000 20:56:55 +0100
 "Martin v. Loewis" <martin@loewis.home.cs.tu-berlin.de>
wrote:
> > Yes, it's the same old code. It is not safe. I had
> problems getting
> > Rexec work here, and punted on it.
> 
> Can you elaborate on the problems, please? Is there
> something that
> intrinsically can't work, or did you just not get through
> with it?

The problem is that you need to run python code (setup.py)
to extract
meta-data from a distutils distribution. This is part of the
distutils
design, and this has been discussed on the distutils list.
In the case
of the catalog, you may not trust the code that has either
been
uploaded, or that the catalog has fetched from a URL. My
though was
that you could use rexec to execute untrusted setup.py
files. However,
I don't know much about rexec and was never able to get it
to work
right with sample setup.py files. No doubt someone else
could do
better.

If it turns out the for some reason rexec can't provide a
solution to
this problem, I see some alternatives. We could find someway
to trust
the setup.py file, so a restricted execution environment
wouldn't be
necessary. Or we could require that meta-data come from
somewhere else
(such as manually filling out a web form). Or we could
enhance the
distutils to write meta-data to a text file in a simple
format when it
builds a distribution.

-Amos