On Wed, 3 Nov 2021 at 10:11, Marc-Andre Lemburg <m...@egenix.com> wrote: > I don't think limiting the source code encoding is the right approach > to making code more secure. Instead, tooling has to be used to detect > potentially malicious code points in code.
+1 Discussing "making code more secure" without being clear on what the threat model is, is always going to be inconclusive. In this case, I believe the threat model is "an untrusted 3rd party submitting a PR which potentially contains malicious code to a Python project". For that threat, I think the correct approach is for core Python to promote awareness (via this PEP and maybe something in the docs themselves) and for projects to implement appropriate code checks that are run against all PRs to flag this sort of issue. What threat can't be addressed at a per-project level, but *can* be addressed in core Python (without triggering so many false positives that people are trained to ignore the warnings or work around the prohibitions, defeating the purpose of the change)? Paul _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/FQ42C66BVCE6AQFSP4J6V6ERS4VV44MK/ Code of Conduct: http://python.org/psf/codeofconduct/
