| From: |
| "Stephen J. Turnbull" <turnbull.stephen.fw-AT-u.tsukuba.ac.jp> |
| To: |
| John Torakis <john.torakis-Re5JQEeQqe8AvxtiuMwx3w-AT-public.gmane.org> |
| Subject: |
| Re: Remote package/module imports through HTTP/S |
| Date: |
| Thu, 24 Aug 2017 11:26:26 +0900 |
| Message-ID: |
| <22942.14674.486061.623216@turnbull.sk.tsukuba.ac.jp> |
| Cc: |
| python-ideas-+ZN9ApsXKcEdnm+yROfE0A-AT-public.gmane.org |
John Torakis writes:
> But, as it seems like it is a very big feature (to me at least),
And "pip install httpimport" seems like it is a very small burden (to
me at least).
I agree with Paul Moore. Putting this in the stdlib seems both
unnecessary, given pip, and an attractive nuisance for naive users.
From the point of view of the blue team, checking for mere presence of
httpimport in the environment is indicative of danger if it's
pip-able, useless if it's in the stdlib.
With respect to "it just makes exec(urlopen()) easier", any code must
be audited for application of exec() to user input anyway, regardless
of whether it fetches stuff off the Internet. Adding httpimport use
to the checklist adds a little bit of complexity to *every* security
check, and a fair amount of danger in security-oblivious environments
such as many university labs, and I would imagine many corporate
development groups as well.
YMMV, but from the point of view of the larger, security-conscious
organization, I would say -1. It's an attractive nuisance unless
you're a security person, and then pip is not a big deal.
Steve
_______________________________________________
Python-ideas mailing list
Python-ideas-+ZN9ApsXKcEdnm+yROfE0A@public.gmane.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/
