On Apr 21, 2008, at 3:42 PM, Phillip J. Eby wrote: > At 03:24 PM 4/21/2008 -0400, Pete wrote: >> On both linux & OS X, Setuptools installs all .py/.pyc files with >> mode >> a+x (executable for all users). This occurs regardless of original >> the permissions in the source tarball. Doing so breaks nosetests, >> which by default refuses to import executable files for test- >> discovery >> purposes as a safety measure. >> >> This behavior is broken & dangerous. > > I don't see how it's either one. An explanation would be helpful.
It's broken in that the source tarball includes per-file permissions and setuptools is blindly overriding them. I realize that's simply restating my original complaint, but seeing as setuptools must be *explicitly* changing the permissions on the installed files, perhaps the onus is on you to explain why that's a good idea in the first place. In any event, a motivating example: Some non-script modules are intended to be executable - think doctest, or anything else that does a `if __name__ == __main__:`. As a developer, I purposely set such modules executable (including setting svn:executable) and leave the others as r-w. And there lies the danger. The executable bit is an indication that a file is intended to be executable. Unix-like systems will treat running a file without a leading #! as a shell script. This can cause arbitrary commands to be executed - for example, this is valid python: rm -f /usr Perhaps contrived, but should demonstrate the point. As a more realistic example, `import` is an imagelib command that takes over the X cursor (for taking a screenshot IIRC). > Note, by the way, that setuptools is not particularly designed to > support running tests against an installed package; I myself have > stopped distributing tests in installed packages and require a > source installation (e.g. using easy_install --editable) to run tests. I'm not looking for explicit testing support from setuptools for testing here - I'm just asking that a bug that breaks a 3rd party testing package be fixed. -- Pete [EMAIL PROTECTED] _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
