[Python-ideas] Enhancing Zipapp
Abdur-Rahmaan Janhangeer
arj.python at gmail.com
Mon Jan 6 15:15:27 EST 2020
Yours,
Abdur-Rahmaan Janhangeer
pythonmembers.club <http://www.pythonmembers.club/> | github
<https://github.com/Abdur-rahmaanJ>
Mauritius
On Mon, Jan 6, 2020 at 11:53 PM Chris Angelico <rosuav at gmail.com> wrote:
> On Tue, Jan 7, 2020 at 6:37 AM Abdur-Rahmaan Janhangeer
> <arj.python at gmail.com> wrote:
> Where is this directory? What if it already contains content?
>
It's sometimes typical for extracted zips to be in temporary folders. If we
are including
wheels maybe we can have a permanent folder for extracting the wheels and
the
interpreter looks for those in it
Are you proposing that *any* zipapp archive is capable of downloading
> arbitrary code from the internet and then running it, without any
> prompting from the user?
>
Exactly the opposite, the archive bundler includes all that have to be
included so that
the app runner does not have to do it. Proposing to include pa
If we are talking about the scenario where a malware already lying in wait
in the
packages folder then it's the same as malware entering the interpreter's
site-packages
If we are talking about malicious code in a package that gets called when
running the zipapp
without prompt, then that's the same issue with all executables (like apps
built with pyinstaller).
If ever we want to mitigate that risk, it depends if we trust the sender.
That's also where the
proposed security features come into play.
More information about the Python-list
mailing list