[Tutor] when is a generator "smart?"

Tue Jun 4 03:28:00 CEST 2013

On 4 June 2013 01:00, Jim Mooney <cybervigilante at gmail.com> wrote:
>> Maybe or maybe not. When you run 'python setup.py install' (this
>> happens implicitly when using pip), Python will try to run the
>> setup.py script. At this point the script can do anything that its
>> author likes. It could check for versions, it could just install and
>> be broken, it could delete random files or damage your system in a
>> malicious way. The author may have written the package at a time when
>> Python 3 didn't exist so they didn't see the need to check for Python
>> version and wrote code that wouldn't work in Python 3.
>
> Using Python 2.7 on Windows 7

I guess at some point that someone told you to "always state the
Python version and OS" but really it's only necessary when it's
relevant. Sometimes it might not be obvious if it's relevant or not
and if so it's best to mention it. Mainly it will be relevant if
you're talking about actual code or the availability of particular
modules (for this post it isn't).

> That's scary. But are we talking modules from wherever or PyPI
> modules?

You always should be cautious about downloading code and running it.
Even more so if you're going to use admin/root privileges to run it.
However I've never actually had a problem with this whether I get
packages from PyPI or from sourceforge/github/bitbucket etc. In the
case of pip, when you run 'pip install X' what you need to understand
is that PyPI can only guarantee that the code there was uploaded by
whoever initially registered the name X on PyPI. Anyone can register
the name but once they have they will control that name in the PyPI
namespace unless PyPI or their PyPI account gets hacked. There are a
number of ongoing efforts to improve security around PyPI and one part
of that is to abolish the "run setup.py to install" concept.

> I figured the modules on the official PyPI index would be
> checked to some degree, and be safe.

No they are not. You can test this yourself: anyone can register a
name and upload any code they want. There are two protections that
PyPI currently offers. The first is that once a name is registered no
one else can upload code under that name. The second is that if
someone does upload malware and it is reported to the PyPI admins then
they can remove it but only retrospectively. There is no proactive
checking of the code that goes onto PyPI.

> I guess I'll always look into the
> setup.py to see if it contains any obvious gotchas. Oops - pip
> downloads and installs automatically - I never see setup.py. Might be
> best to download, inspect, then run the install.

I personally rarely do this and would only actually bother if
installing a very obscure package. I think that widely used packages
can be trusted (in this sense) not to do harm.

Oscar