Thanks, Cameron Simpson, for the feedback! The security issue you mentioned is something really serious I didn't really think about. I usually do this a lot for my side projects and random stuff I automate. Hence suggested this.
Again, thanks for taking your time. On Mon, Jul 8, 2019 at 1:14 PM Cameron Simpson <c...@cskk.id.au> wrote: > On 08Jul2019 11:40, Siddharth Prajosh <spraj...@gmail.com> wrote: > >Hey all, after this talk > >< > http://pyfound.blogspot.com/2019/05/amber-brown-batteries-included-but.html > > > >on how useful standard libraries are this has been in talks in multiple > >channels. > >I just wanted to present my idea on the same. > > > >Why not keep the essentials (ensurepip) and strip off everything else. > When > >someone imports a package like datetime, we can catch the error > >(ImportError) and install it. > >Or something similar. > > Are you thinking this happens at runtime? And is your objective to ship > a much smaller Python standard library and load whatever is actually > required as discovered? > > The usual difficulty is that there's no general way to fetch packages in > every environment. For the obvious case: the offline environment, with > no network access. > > Another trickiness is that while we usually try to not conditionally > import stuff, sometimes that happens. Which means you might run your > programme and autoimport most things, but still miss something which > only gets imported in a special circumstance. > > _However_, there's something to be said for the convenience. > > Had you considered writing a module which plugs into the import > machinery to auto-pip-install on ImportError? Then you could test your > ideas. > > Finally, there's some security considerations. > > A prize cause for an import error is simply misspelling a module name. > If that misspelling matches a known module, that gets fetched. AND RUN. > > If the module used in error is malicious that's a really nasty failure > mode. Even a module with a similar name and similar but not identical > semantics could cause undesired (eg damaging, or just silently buggy) > behaviour for the user. > > There have been real world examples of malicious packages put into > package repositories. If I recall (and my memory is fuzzy here), quite a > few in the JavaScript world and I think there was a known one in the > PyPI repo. > > Leaving aside the "use a likely misspelling" situation, the other > situation is where a known module is withdrawn and a malicious person > installs something evil under the previously trustworthy name. > > These issues make me cautious about automatically importing anything > that seems to be missing. > > I'm more comfortable treating ImportErrors as stuff to inspect. Perhaps > I misspelled something. Perhaps I've failed to install something > important. Perhaps I'm using a feature I didn't really plan to install. > > Cheers, > Cameron Simpson <c...@cskk.id.au> >
_______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/LLD23RXVTG6YKQFLALXRL5M7NNFU4NOX/ Code of Conduct: http://python.org/psf/codeofconduct/
