On May 24, 2013, at 9:54 AM, holger krekel <[email protected]> wrote:
> On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote: >> On May 24, 2013, at 7:17 AM, Vinay Sajip <[email protected]> wrote: >> >>>> From: holger krekel <[email protected]> >>> >>> >>>> >>>> Nice. How do you actually get at the dependencies? Don't you >>>> need to execute setup.py for that? >>>> >>> >>> Yes, that's how it's done. However, the idea is to do it once per uploaded >>> release and remember the results, so an installer tool like pip doesn't >>> have to download and run setup.py every time :-) >> >> So what you're saying is I can root your machine with a setup.py? ;) > > That's the immediate risk, indeed :) However, i guess one could use a VM > with a chroot and a dedicated user and timeout the setup after 20 seconds > or so to regain some safety. It's a bit horrible but OTOH i'd really > like to have this information (especially the deps) without requiring > everybody to switch to a new packaging format first. > > holger Most packages also have an egg-info inside of them you can parse. Of course the issue is that you're only going to get the requirements of the system that ran setup.py, either the authors or the servers. Which doesn't accurately represent all of the dependencies all of the time. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
