On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote: > On May 24, 2013, at 7:17 AM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: > > >> From: holger krekel <hol...@merlinux.eu> > > > > > >> > >> Nice. How do you actually get at the dependencies? Don't you > >> need to execute setup.py for that? > >> > > > > Yes, that's how it's done. However, the idea is to do it once per uploaded > > release and remember the results, so an installer tool like pip doesn't > > have to download and run setup.py every time :-) > > So what you're saying is I can root your machine with a setup.py? ;)
That's the immediate risk, indeed :) However, i guess one could use a VM with a chroot and a dedicated user and timeout the setup after 20 seconds or so to regain some safety. It's a bit horrible but OTOH i'd really like to have this information (especially the deps) without requiring everybody to switch to a new packaging format first. holger _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig