Greetings,
I've just woken up and noticed Python 2.7.7 is on track to be released, and in a
rather unique event contains a few security enhancements
in addition to the usual fixes:
http://legacy.python.org/dev/peps/pep-0466/
I thought this might be a good time to make a final plea to fix a
long-standing security issue in the installer on Windows. By default it
installs Python to the root folder, thereby bypassing filesystem permissions:
http://bugs.python.org/issue1284316
The main rationale given (for not using the standard %ProgramFiles%) has been
that the full path to python is too long to type, and ease of use is more
important than the security benefits given by following Windows conventions.
However, adding python to the PATH variable is an alternative solution that
would result in even fewer keystrokes needing to be typed at a console, while
maintaining system security.
As this is an installer setting and not a code change, I gather that the
opportunities for code breakage should be fewer. Please consider updating
this setting to a more secure and friendly default, for 2.7.7 and 3.5+ as well.
-Mike
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
