I'd be a -1 on dynamic modification with installed apps. that's the developer's responsibility to add in, and should be implicit by design. The list of apps needs to come somewhere via configuration, and django defines that configuration to be done explicitly.
I be;ieve some of the major security holes via Wordpress come with being able to add in plugins and projects dynamically. You might be discounting this, but it does open up a fairly large attack vector On Tuesday, February 21, 2023 at 1:54:01 AM UTC-5 Christian González wrote: > Am 20.02.23 um 14:23 schrieb Jacob Rief: > > Isn't it a bit dangerous to auto-add a package from PyPI to a running > > Django installation? That module then gains full database access and > > could do all kind of nasty stuff. > > Maybe I am a bit naive here, but 3rd party packages sometimes get > > installed incautiously. > > Hi Jacob, > > no, I don't think so. It is generally "dangerous" to run code you don't > know what it does ;-) > In my case it is even more dangerous to run code I wrote myself, hehe. > > But really, if you install ANY package via pip, you have to trust that > package. So it doesn't matter if you install a Django GDAPS auto-plugin > package or django-money. you would have to add it manually to your > settings.py/ INSTALLED_APPS anyway to use it. > GDAPS is intended to enable plugins for a main application - e.g. there > is medux, and medux.plugins.laboratory - both from the same vendor. > There is no trust problem when installing your own packages. > > Christian > > -- > Dr. Christian González > https://nerdocs.at > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/6c3ea57a-c66d-40cf-809b-899d3b0d2b98n%40googlegroups.com.
