Can I trust downloading Python?
Tom P
werotizy at freent.dd
Tue Sep 10 06:26:55 EDT 2013
On 10.09.2013 11:45, Oscar Benjamin wrote:
> On 10 September 2013 01:06, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:
>> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>>
>> But really, we've learned *nothing* from the viruses of the 1990s.
>> Remember when we used to talk about how crazy it was to download code
>> from untrusted sites on the Internet and execute it? We're still doing
>> it, a hundred times a day. Every time you go on the Internet, you
>> download other people's code and execute it. Javascript, Flash, HTML5,
>> PDF are all either executable, or they include executable components. Now
>> they're *supposed* to be sandboxed, but we've gone from "don't execute
>> untrusted code" to "let's hope my browser doesn't have any bugs that the
>> untrusted code might exploit".
>
> You could have also mentioned pip/PyPI in that. 'pip install X'
> downloads and runs arbitrary code from a largely unmonitored and
> uncontrolled code repository. The maintainers of PyPI can only try to
> ensure that the original author of X would remain in control of what
> happens and could remove a package X if it were discovered to be
> malware. However they don't have anything like the resources to
> monitor all the code coming in so it's essentially a system based on
> trust in the authors where the only requirement to be an author is
> that you have an email address. Occasionally I see the suggestion to
> do 'sudo pip install X' which literally gives root permissions to
> arbitrary code coming straight from the net.
>
>
> Oscar
>
Interesting observation
More information about the Python-list
mailing list