On Thu, Aug 24, 2017 at 4:04 AM, Bruce Leban <br...@leban.us> wrote: > > On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.tora...@gmail.com> > wrote: >> >> >> Github can be trusted 100% percent for example. > > > This isn't even remotely close to true. While I'd agree with the statement > that the SSL cert on github is reasonably trustworthy, the *content* on > github is NOT trustworthy and that's where the security risk is. > > I agree that this is a useful feature and there is no way it should be on by > default. The right way IMHO to do this is to have a command line option > something like this: > > python --http-import somelib=https://github.com/someuser/somelib
If you read his README, it's pretty explicit about URLs; the risk is that "https://github.com/someuser/somelib"; can be intercepted, not that "someuser" is malicious. If you're worried about the latter, don't use httpimport. ChrisA _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
