Can I trust downloading Python?
Oscar Benjamin
oscar.j.benjamin at gmail.com
Tue Sep 10 05:45:16 EDT 2013
On 10 September 2013 01:06, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>
> But really, we've learned *nothing* from the viruses of the 1990s.
> Remember when we used to talk about how crazy it was to download code
> from untrusted sites on the Internet and execute it? We're still doing
> it, a hundred times a day. Every time you go on the Internet, you
> download other people's code and execute it. Javascript, Flash, HTML5,
> PDF are all either executable, or they include executable components. Now
> they're *supposed* to be sandboxed, but we've gone from "don't execute
> untrusted code" to "let's hope my browser doesn't have any bugs that the
> untrusted code might exploit".
You could have also mentioned pip/PyPI in that. 'pip install X'
downloads and runs arbitrary code from a largely unmonitored and
uncontrolled code repository. The maintainers of PyPI can only try to
ensure that the original author of X would remain in control of what
happens and could remove a package X if it were discovered to be
malware. However they don't have anything like the resources to
monitor all the code coming in so it's essentially a system based on
trust in the authors where the only requirement to be an author is
that you have an email address. Occasionally I see the suggestion to
do 'sudo pip install X' which literally gives root permissions to
arbitrary code coming straight from the net.
Oscar
More information about the Python-list
mailing list