On 10 September 2013 01:06, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote: > > But really, we've learned *nothing* from the viruses of the 1990s. > Remember when we used to talk about how crazy it was to download code > from untrusted sites on the Internet and execute it? We're still doing > it, a hundred times a day. Every time you go on the Internet, you > download other people's code and execute it. Javascript, Flash, HTML5, > PDF are all either executable, or they include executable components. Now > they're *supposed* to be sandboxed, but we've gone from "don't execute > untrusted code" to "let's hope my browser doesn't have any bugs that the > untrusted code might exploit".
You could have also mentioned pip/PyPI in that. 'pip install X' downloads and runs arbitrary code from a largely unmonitored and uncontrolled code repository. The maintainers of PyPI can only try to ensure that the original author of X would remain in control of what happens and could remove a package X if it were discovered to be malware. However they don't have anything like the resources to monitor all the code coming in so it's essentially a system based on trust in the authors where the only requirement to be an author is that you have an email address. Occasionally I see the suggestion to do 'sudo pip install X' which literally gives root permissions to arbitrary code coming straight from the net. Oscar -- https://mail.python.org/mailman/listinfo/python-list
