On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.tora...@gmail.com> wrote: > Hello all! > > Today I opened an issue in bugs.python.org > (http://bugs.python.org/issue31264) proposing a module I created for > remote package/module imports through standard HTTP/S. > > The concept is that, if a directory is served through HTTP/S (the way > SimpleHTTPServer module serves directories), a Finder/Loader object can > fetch Python files from that directory using HTTP requests, and finally > load them as modules (or packages) in the running namespace. > > The repo containing a primitive (but working) version of the > Finder/Loader, also contains self explanatory examples (in the README.md): > > https://github.com/operatorequals/httpimport > > > My proposal is that this module can become a core Python feature, > providing a way to load modules even from Github.com repositories, > without the need to "git clone - setup.py install" them. > > > Other languages, like golang, provide this functionality from their > early days (day one?). Python development can be greatly improved if a > "try before pip installing" mechanism gets in place, as it will add a > lot to the REPL nature of the testing/experimenting process.
As a core feature? No no no no no no no no. Absolutely do NOT WANT THIS. This is a security bug magnet; can you imagine trying to ensure that malicious code is not executed, in an arbitrary execution context? As an explicitly-enabled feature, it's a lot less hairy than a permanently-active one (can you IMAGINE how terrifying that would be?), but even so, trying to prove that addRemoteRepo (not a PEP8-compliant name, btw) is getting the correct code is not going to be easy. You have to (a) drop HTTP altogether and mandate SSL and (b) be absolutely sure that your certificate chains are 100% dependable, which - as we've seen recently - is a nontrivial task. The easiest way to add remote code is pip. For most packages, that's what you want to be using: pip install requests will make "import requests" functional. I don't see pip mentioned anywhere in your README, but you do mention the testing of pull requests, so at very least, this wants some explanatory screed. But I'm not entirely sure I want to support this. You're explicitly talking about using this with the creation of backdoors... in what, exactly? What are you actually getting at here? ChrisA _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
