On Apr 22, 2008, at 12:19 PM, Phillip J. Eby wrote:
At 11:49 AM 4/22/2008 -0400, Pete wrote:
On Apr 21, 2008, at 6:01 PM, Phillip J. Eby wrote:
At 04:23 PM 4/21/2008 -0400, Pete wrote:
I'm not looking for explicit testing support from setuptools for
testing here - I'm just asking that a bug that breaks a 3rd party
testing package be fixed.
You haven't stated anything yet that sounds like an actual bug to
me.
What about the dangerous & broken complaint?
Which I don't yet understand, let alone agree with. Simply
asserting over and over that it's bad and dangerous doesn't help.
This bit, from my email on April 21, 2008 4:23:09; Ben Finney's point
about tests being silently skipped is also valid, and was how I
originally came across this problem.
In any event, a motivating example:
Some non-script modules are intended to be executable - think doctest,
or anything else that does a `if __name__ == __main__:`. As a
developer, I purposely set such modules executable (including setting
svn:executable) and leave the others as r-w.
And there lies the danger. The executable bit is an indication that a
file is intended to be executable. Unix-like systems will treat
running a file without a leading #! as a shell script. This can cause
arbitrary commands to be executed - for example, this is valid python:
rm -f /usr
Perhaps contrived, but should demonstrate the point. As a more
realistic example, `import` is an imagelib command that takes over the
X cursor (for taking a screenshot IIRC).
One thing that you particularly seem to be missing is that the
distutils also ignore a Python module's source permissions --
whether they come from a tarball or not.
Ok, but AFAIK distutils doesn't then +x everything, which is the
problem here.
--
Pete
[EMAIL PROTECTED]
_______________________________________________
Distutils-SIG maillist - [email protected]
http://mail.python.org/mailman/listinfo/distutils-sig
