Anthony Sottile <[email protected]> added the comment:
I did my best to classify those on pypi that were using `.pth` files. My
initial search had quite a few false positives (and now that I look at it,
completely missed `.zip`-based source distributions so there's likely some
false negatives as well)
Here's the summary of the categorizations:
$ cut -d, -f2 < data.csv | sort | uniq -c
2 backport
4 coverage
4 debugging
2 demo
9 encoding
7 except-hook
58 false-positive
6 import-hook
20 module-layout
20 monkeypatch
I realized about halfway through that "monkeypatch" was probably too broad of a
category but continued with that through all of them, the monkeypatch category
contains a few classes of things: fixing third party libraries, disabling ssl
(yikes!), adding some "features" to builtins / stdlib modules -- which
unfortunately I didn't really classify properly.
There was a single .pth file that I deemed "malicious" since it completely
breaks the `subprocess` module (`subprocess-run`) but other than that they all
seemed ~mostly not the worst.
A lot of the `module-layout` ones could be solved with things provided directly
by `setuptools`, or just be rearranging their distribution's files.
The raw data is available in csv:
https://github.com/asottile/pth-file-investigation/blob/master/data.csv
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue33944>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
