Greg Ewing <greg.ewing <at> canterbury.ac.nz> writes: > > Doesn't the existing .pyc mechanism have the same problem? Seems > to me it's just as insecure to allow the Apache user to create > .pyc files, since an attacker could overwrite them with arbitrary > bytecode.
The problem is that you can't delete the __pycache__ directory if it doesn't have the right ownership and if it's non-empty. This problem doesn't exist with a pyc file situated in a directory you own. > > Actually, __pycache__ creation doesn't have to be part of the import mechanism. > > It can be part of distutils instead (or whatever third-party tool > > What about development, The main point of the __pycache__ proposal is to solve the needs of Ubuntu/Debian packagers. If you are developing (rather than deploying or building packages), you shouldn't have these needs AFAICT. > or if a user installs by dragging into > site-packages instead of using an installer? Well... do people actually do this? "python setup.py install" is simpler than finding the right place to drag your package to, and doing the dragging. It also gives you metadata for free. And there's less risk of screwing up. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
