[Python-ideas] Remote package/module imports through HTTP/S

Wed Aug 23 14:41:57 EDT 2017

On 23/08/2017 21:24, Paul Moore wrote:
> On 23 August 2017 at 18:49, Chris Angelico <rosuav at gmail.com> wrote:
>> Still -1 on this becoming a stdlib package, as there's nothing I've
>> yet seen that can't be done as a third-party package. But it's less
>> scary than I thought it was :)
> IMO, this would make a great 3rd party package (I note that it's not
> yet published on PyPI). It's possible that it would end up being
> extremely popular, and recognised as sufficiently secure - at which
> point it may be worth considering for core inclusion. But it's also
> possible that it remains niche, and/or people aren't willing to take
> the security risks that it implies, in which case it's still useful to
> those who do like it.
PyPI upload is scheduled when some more testing and commenting takes place.
> One aspect that hasn't been mentioned yet - as a 3rd party module, the
> user (or the organisation's security team) can control whether or not
> the ability to import over the web is available by controlling whether
> the module is allowed to be installed - whereas with a core module,
> it's there, like it or not, and *all* Python code has to be audited on
> the assumption that it might be used. 
True!
But you can urlopen()->exec() anything out there anyway! A ">>>" prompt
is all you need.
> I could easily imagine cases
> where the httpimport module was allowed on development machines and CI
> servers, but forbidden on production (and pre-production) systems.
> That option simply isn't available if the feature is in the core.
I agree that there are circumstances that this module should not be used
(regardless of security implications).
In a released product for example. Depending on the UP-ness of a remote
repository (e.g github), not to even mention the API
backward-compatibility of an upstream package, is just **BAD** for a
ready-released-deliverable product! This is why we have virtual
environments!

But it remains an option to use it or not! I, for example, find myself
REPLing more than scripting. When REPLing for something you plan to
implement sometime-somehow, this module is really what you need! But
when I finally create a script, I won't disable its offline
functionality just to use httpimport. That would be suicidal! When I
finally come with a working thing I will finally land the used packages
to disk and to a virtual environment.

My argument is that this module will add greatly to the Python's ad-hoc
testing capabilities! I find it elegant for such feature to be in the
stdlib of a language.
I don't doubt that it can survive as a 3rd party module, though.
>
> Paul
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/