[Python-ideas] Remote package/module imports through HTTP/S
Chris Angelico
rosuav at gmail.com
Wed Aug 23 14:11:26 EDT 2017
On Thu, Aug 24, 2017 at 4:04 AM, Bruce Leban <bruce at leban.us> wrote:
>
> On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.torakis at gmail.com>
> wrote:
>>
>>
>> Github can be trusted 100% percent for example.
>
>
> This isn't even remotely close to true. While I'd agree with the statement
> that the SSL cert on github is reasonably trustworthy, the *content* on
> github is NOT trustworthy and that's where the security risk is.
>
> I agree that this is a useful feature and there is no way it should be on by
> default. The right way IMHO to do this is to have a command line option
> something like this:
>
> python --http-import somelib=https://github.com/someuser/somelib
If you read his README, it's pretty explicit about URLs; the risk is
that "https://github.com/someuser/somelib" can be intercepted, not
that "someuser" is malicious. If you're worried about the latter,
don't use httpimport.
ChrisA
More information about the Python-ideas
mailing list