On Wed, Aug 23, 2017 at 11:11 AM, Chris Angelico <ros...@gmail.com> wrote:
> > > If you read his README, it's pretty explicit about URLs; the risk is > that "https://github.com/someuser/somelib" can be intercepted, not > that "someuser" is malicious. If you're worried about the latter, > don't use httpimport. I don't see the word "security" or "risk" in the readme. The risk is not just that someuser is malicious but the risk that they, their github credentials or their code have been compromised. The reason that if this feature were to be implemented, I would want it outside the source code (command line option) is that that puts the control in the hands of the person running the code. This is appropriate for the stated scenarios. There's no possibility of a hidden live github dependency. --- Bruce
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/