On 4 June 2013 01:00, Jim Mooney <cybervigila...@gmail.com> wrote: >> Maybe or maybe not. When you run 'python setup.py install' (this >> happens implicitly when using pip), Python will try to run the >> setup.py script. At this point the script can do anything that its >> author likes. It could check for versions, it could just install and >> be broken, it could delete random files or damage your system in a >> malicious way. The author may have written the package at a time when >> Python 3 didn't exist so they didn't see the need to check for Python >> version and wrote code that wouldn't work in Python 3. > > Using Python 2.7 on Windows 7
I guess at some point that someone told you to "always state the Python version and OS" but really it's only necessary when it's relevant. Sometimes it might not be obvious if it's relevant or not and if so it's best to mention it. Mainly it will be relevant if you're talking about actual code or the availability of particular modules (for this post it isn't). > That's scary. But are we talking modules from wherever or PyPI > modules? You always should be cautious about downloading code and running it. Even more so if you're going to use admin/root privileges to run it. However I've never actually had a problem with this whether I get packages from PyPI or from sourceforge/github/bitbucket etc. In the case of pip, when you run 'pip install X' what you need to understand is that PyPI can only guarantee that the code there was uploaded by whoever initially registered the name X on PyPI. Anyone can register the name but once they have they will control that name in the PyPI namespace unless PyPI or their PyPI account gets hacked. There are a number of ongoing efforts to improve security around PyPI and one part of that is to abolish the "run setup.py to install" concept. > I figured the modules on the official PyPI index would be > checked to some degree, and be safe. No they are not. You can test this yourself: anyone can register a name and upload any code they want. There are two protections that PyPI currently offers. The first is that once a name is registered no one else can upload code under that name. The second is that if someone does upload malware and it is reported to the PyPI admins then they can remove it but only retrospectively. There is no proactive checking of the code that goes onto PyPI. > I guess I'll always look into the > setup.py to see if it contains any obvious gotchas. Oops - pip > downloads and installs automatically - I never see setup.py. Might be > best to download, inspect, then run the install. I personally rarely do this and would only actually bother if installing a very obscure package. I think that widely used packages can be trusted (in this sense) not to do harm. Oscar _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
