On 23/08/2017 21:04, Bruce Leban wrote: > > On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.tora...@gmail.com > <mailto:john.tora...@gmail.com>> wrote: > > > Github can be trusted 100% percent for example. > > > This isn't even remotely close to true. While I'd agree with the > statement that the SSL cert on github is reasonably trustworthy, the > *content* on github is NOT trustworthy and that's where the security > risk is.
Do we trust code on github? Do we trust code on PyPI? This is why I **don't** want it ON by default. You have to explicitly point the Finder/Loader to a repo that you created or you trust. And provide a list of available modules/packages to import from that URL too. If the developer isn't sure about the code she/he is importing then it is her/his fault... Same goes for pip installing though... > > I agree that this is a useful feature and there is no way it should be > on by default. The right way IMHO to do this is to have a command line > option something like this: > > python --http-import somelib=https://github.com/someuser/somelib > > > which then redefines the import somelib command to import from that > source. Along with your scenario, it allows people, for example, to > replace a library with a different version without modifying source or > installing a different version. That's pretty useful. That's what I am thinking too! just provide the module so someone can "python -m" it, or start a REPL in the context that some packages/modules are available from a URL. > > --- Bruce John Torakis
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
