[Python-ideas] Remote package/module imports through HTTP/S
Bruce Leban
bruce at leban.us
Wed Aug 23 17:19:48 EDT 2017
On Wed, Aug 23, 2017 at 11:11 AM, Chris Angelico <rosuav at gmail.com> wrote:
>
>
> If you read his README, it's pretty explicit about URLs; the risk is
> that "https://github.com/someuser/somelib" can be intercepted, not
> that "someuser" is malicious. If you're worried about the latter,
> don't use httpimport.
I don't see the word "security" or "risk" in the readme. The risk is not
just that someuser is malicious but the risk that they, their github
credentials or their code have been compromised.
The reason that if this feature were to be implemented, I would want it
outside the source code (command line option) is that that puts the control
in the hands of the person running the code. This is appropriate for the
stated scenarios. There's no possibility of a hidden live github dependency.
--- Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170823/52374ecb/attachment.html>
More information about the Python-ideas
mailing list