On 10.09.2013 11:45, Oscar Benjamin wrote:
On 10 September 2013 01:06, Steven D'Aprano
<steve+comp.lang.pyt...@pearwood.info> wrote:
On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
But really, we've learned *nothing* from the viruses of the 1990s.
Remember when we used to talk about how crazy it was to download code
from untrusted sites on the Internet and execute it? We're still doing
it, a hundred times a day. Every time you go on the Internet, you
download other people's code and execute it. Javascript, Flash, HTML5,
PDF are all either executable, or they include executable components. Now
they're *supposed* to be sandboxed, but we've gone from "don't execute
untrusted code" to "let's hope my browser doesn't have any bugs that the
untrusted code might exploit".
You could have also mentioned pip/PyPI in that. 'pip install X'
downloads and runs arbitrary code from a largely unmonitored and
uncontrolled code repository. The maintainers of PyPI can only try to
ensure that the original author of X would remain in control of what
happens and could remove a package X if it were discovered to be
malware. However they don't have anything like the resources to
monitor all the code coming in so it's essentially a system based on
trust in the authors where the only requirement to be an author is
that you have an email address. Occasionally I see the suggestion to
do 'sudo pip install X' which literally gives root permissions to
arbitrary code coming straight from the net.
Oscar
Interesting observation
--
https://mail.python.org/mailman/listinfo/python-list
