[Python-ideas] Security: remove "." from sys.path?

[Nathaniel Smith]

On Mon, Jun 5, 2017 at 4:14 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> The biggest problem with this approach is that it means that adding
> new standard library modules becomes a backwards compatibility break -
> scripts that used to work will now fail since they'll get the standard
> library module rather than the previously implicit main relative
> import. At the moment we don't have that problem - as with new
> builtins, adding a new standard library module may mean people have to
> rename things to get access to it, but their current code won't
> actually *break* as a result of the new name being assigned.

Python is a bit inconsistent about this. The standard library
currently doesn't shadow modules in the script directory, but it does
shadow site-packages, which means that new stdlib modules already can
break working code. It also makes it impossible to pip install
backport modules that intentionally shadow old stdlib modules, which
might not be a great idea but is at least plausibly useful in some
situations, while the kind of accidental shadowing one gets in the
script directory is pretty much always bad IME.

-n

-- 
Nathaniel J. Smith -- https://vorpus.org