On 26 September 2014 01:38, Donald Stufft don...@stufft.io wrote:
Either way I'm fairly commited to making --user the default, the only
question
on my mind is what exactly does that look like (e.g. does root get --user by
default?) and how we get from where we are now to that point. I think
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Of course anything called by subprocess with shell=False may invoke the
shell itself if it runs other
On 2014-09-25, 23:14 GMT, Cameron Simpson wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Only if /bin/sh is bash :-) Not always the case, fortunately.
Where does your
Matěj,
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy comes from?
The fact that they are simpler, in terms of lines of code. It's no
guarantee, but the less a given piece of code does,
On 26.09.14 01:17, Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Fortunately dash (which is used as /bin/sh in Debian and Ubuntu) is not
vulnerable.
On Fri, 26 Sep 2014 01:10:53 -0700
Hasan Diwan hasan.di...@gmail.com wrote:
Matěj,
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy comes from?
The fact that they are simpler, in
Jeremy Sanders schrieb am 26.09.2014 um 09:28:
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Of course anything called by subprocess with
On Fri, 26 Sep 2014 14:56:05 +0200
Stefan Behnel stefan...@behnel.de wrote:
Jeremy Sanders schrieb am 26.09.2014 um 09:28:
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
On Sep 26, 2014, at 3:09 AM, Paul Moore p.f.mo...@gmail.com wrote:
On 26 September 2014 01:38, Donald Stufft don...@stufft.io wrote:
Either way I'm fairly commited to making --user the default, the only
question
on my mind is what exactly does that look like (e.g. does root get --user by
Stefan Behnel wrote:
Ok, but does that really make it a relevant topic for python-dev?
Sorry - I thought I was reading python-general. gmane makes it too easy to
post :-). However, I think it's worth pointing that out, in case people
think that Popen is a security panacea.
J
On 26 September 2014 14:31, Donald Stufft don...@stufft.io wrote:
Yea, I think we throw an error when you use —user inside a virtual
environment.
So if --user became the default, what would happen? I'd like pip
inside a virtualenv to install into the environment without needing a
--system
On Sep 26, 2014, at 9:53 AM, Paul Moore p.f.mo...@gmail.com wrote:
On 26 September 2014 14:31, Donald Stufft don...@stufft.io wrote:
Yea, I think we throw an error when you use —user inside a virtual
environment.
So if --user became the default, what would happen? I'd like pip
inside
ACTIVITY SUMMARY (2014-09-19 - 2014-09-26)
Python tracker at http://bugs.python.org/
To view or respond to any of the issues listed below, click on the issue.
Do NOT respond to this message.
Issues counts and deltas:
open4677 (+15)
closed 29587 (+43)
total 34264 (+58)
Open issues
Hi all,
(This is advance notice since people on this list will be interested. Official
announcements are coming when setuptools makes their next release.)
Microsoft has released a compiler package targeting Python 2.7 (i.e. VC9).
We've produced this package to help library developers build
Awesome!
On Sep 26, 2014, at 2:01 PM, Steve Dower steve.do...@microsoft.com wrote:
Hi all,
(This is advance notice since people on this list will be interested.
Official announcements are coming when setuptools makes their next release.)
Microsoft has released a compiler package
On 26/09/2014 19:01, Steve Dower wrote:
Hi all,
(This is advance notice since people on this list will be interested.
Official announcements are coming when setuptools makes their next
release.)
Microsoft has released a compiler package targeting Python 2.7 (i.e.
VC9). We've produced this
T-Mobile. America's First Nationwide 4G Network.
-- Original message--From: Python trackerDate: Fri, Sep 26, 2014 12:07
PMTo: python-dev@python.org;Subject:[Python-Dev] Summary of Python tracker
IssuesACTIVITY SUMMARY (2014-09-19 - 2014-09-26)Python tracker at
At long last! Building C extensions on Windows will no longer be a pain in
the rear!
On Fri, Sep 26, 2014 at 1:01 PM, Steve Dower steve.do...@microsoft.com
wrote:
Hi all,
(This is advance notice since people on this list will be interested.
Official announcements are coming when setuptools
On 09/26/2014 11:01 AM, Steve Dower wrote:
Microsoft has released a compiler package targeting Python 2.7 (i.e. VC9).
We've produced this package to help library developers build wheels for
Windows, but also to help users unblock themselves when they need to build C
extensions themselves.
On 26 September 2014 19:01, Steve Dower steve.do...@microsoft.com wrote:
Microsoft has released a compiler package targeting Python 2.7 (i.e. VC9).
We've produced this package to help library developers build wheels for
Windows, but also to help users unblock themselves when they need to
On 26Sep2014 13:16, Antoine Pitrou solip...@pitrou.net wrote:
On Fri, 26 Sep 2014 01:10:53 -0700
Hasan Diwan hasan.di...@gmail.com wrote:
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy
On Thu, Sep 25, 2014 at 5:38 PM, Donald Stufft don...@stufft.io wrote:
2) Switch to —user based on if the user has permission to write to the
site-packages or not.
ouch -- no. Why not a clear error message if pip can't write to
site-packages -- something like:
I fairly strongly
On 9/26/2014 1:03 PM, Chris Barker wrote:
On Thu, Sep 25, 2014 at 5:38 PM, Donald Stufft don...@stufft.io
mailto:don...@stufft.io wrote:
2) Switch to —user based on if the user has permission to
write to the
site-packages or not.
ouch -- no. Why not a clear
23 matches
Mail list logo