Stefan Behnel wrote: > Leonardo Santagada wrote: > >> The biggest problem I see is security, but if people are really >> interested in this we could at least try it no? >> > > Security certainly is a major issue here. Anyone can upload packages to > PyPI, so you can run arbitrary code on tons of machines, just by pushing > some well-forged setup.py script there. >
Since it would be inside a VM, the major risk would be running some kind of malicious server of some kind inside the setup script - but it should be relatively easy to make sure the vm prevents that from happening ? It is a major issue, but I would guess it has been solved by the build service system (which is really great BTW, I think it is a very significant advancement, under-rated project for open source software deployment). cheers, David _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
