[Python-ideas] Remote package/module imports through HTTP/S
John Torakis
john.torakis at gmail.com
Wed Aug 23 14:11:32 EDT 2017
On 23/08/2017 21:04, Bruce Leban wrote:
>
> On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.torakis at gmail.com
> <mailto:john.torakis at gmail.com>> wrote:
>
>
> Github can be trusted 100% percent for example.
>
>
> This isn't even remotely close to true. While I'd agree with the
> statement that the SSL cert on github is reasonably trustworthy, the
> *content* on github is NOT trustworthy and that's where the security
> risk is.
Do we trust code on github?
Do we trust code on PyPI?
This is why I **don't** want it ON by default. You have to explicitly
point the Finder/Loader to a repo that you created or you trust. And
provide a list of available modules/packages to import from that URL too.
If the developer isn't sure about the code she/he is importing then it
is her/his fault...
Same goes for pip installing though...
>
> I agree that this is a useful feature and there is no way it should be
> on by default. The right way IMHO to do this is to have a command line
> option something like this:
>
> python --http-import somelib=https://github.com/someuser/somelib
>
>
> which then redefines the import somelib command to import from that
> source. Along with your scenario, it allows people, for example, to
> replace a library with a different version without modifying source or
> installing a different version. That's pretty useful.
That's what I am thinking too! just provide the module so someone can
"python -m" it, or start a REPL in the context that some
packages/modules are available from a URL.
>
> --- Bruce
John Torakis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170823/520d4ad2/attachment.html>
More information about the Python-ideas
mailing list