On Wed, Aug 18, 2010 at 08:12:24PM +0200, Iustin Pop wrote: > On Wed, Aug 18, 2010 at 07:46:37PM +0200, Peter Palfrader wrote: > > It might not be something we can fix for this release, but I think this > > is a significant security bug in the source package. > > Unfortunately, my first investigation show that this is a generic > problem with setuptools, and with not easy disabling. So while a correct > dependency will work around the automatic download, I'm not sure it's > possible to ensure that the download code will not be called in face of > weird situations.
Scratch that, this is easily fixable (the package ships the ez_setup.py stub with it, and it's a trivial patch to disable the auto-download). iustin
signature.asc
Description: Digital signature
