On Mon, Jun 5, 2017 at 10:52 AM Chris Barker wrote:
> On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner
> wrote:
>
>> A minimum change would be to add the (empty string) at the end of
>> sys.path in Python 3.7 rather than adding it at the start.
>>
On 6/5/17, Chris Barker wrote:
> On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner
> wrote:
>
>> A minimum change would be to add the (empty string) at the end of
>> sys.path
>> in Python 3.7 rather than adding it at the start.
>>
>> It would
On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner
wrote:
> A minimum change would be to add the (empty string) at the end of sys.path
> in Python 3.7 rather than adding it at the start.
>
> It would increase Python usability since it avoids the "random has no
> randint()
On Mon, Jun 5, 2017 at 4:14 AM, Nick Coghlan wrote:
> The biggest problem with this approach is that it means that adding
> new standard library modules becomes a backwards compatibility break -
> scripts that used to work will now fail since they'll get the standard
> library
So it seems the best thing would be to have a system-python executable
which always runs in isolated mode?
In fact I could imagine that security-conscious distributions would only
install system-python by default and relegate the ordinary python to some
python-dev package.
Stephan
Op 5 jun.
On 5 June 2017 at 20:55, Victor Stinner wrote:
> A minimum change would be to add the (empty string) at the end of sys.path
> in Python 3.7 rather than adding it at the start.
>
> It would increase Python usability since it avoids the "random has no
> randint() function"
On 5 June 2017 at 19:49, Stephan Houben wrote:
> What about just adding the -I (isolated mode) flag to the #! line of
> installed scripts?
Fedora & derivatives generally do do that, but as others noted, it can
sometimes cause issues with shebang line parsers. It's also easy
Le 5 juin 2017 00:52, "Guido van Rossum" a écrit :
I really don't want people to start using the "from . import foo" idiom for
their first steps into programming. It seems a reasonable "defensive
programming" maneuver to put in scripts and apps made by professional
Python
Would it not be a job for setuptools?
Setuptools creates the scripts.
Stephan
Op 5 jun. 2017 12:12 schreef "Oleg Broytman" :
On Mon, Jun 05, 2017 at 12:06:45PM +0200, Stephan Houben <
stephan...@gmail.com> wrote:
> What about doing it on the systems which *do* support it?
>
On Mon, Jun 05, 2017 at 12:06:45PM +0200, Stephan Houben
wrote:
> What about doing it on the systems which *do* support it?
> (Which probably covers 99% of the installed base...)
That's the job of Linux distribution packagers, not Python Core
developers.
> Stephan
>
>
On Mon, Jun 05, 2017 at 09:59:35PM +1200, Greg Ewing
wrote:
> Stephan Houben wrote:
> >What about just adding the -I (isolated mode) flag to the #! line of
> >installed scripts?
>
> Not all unix systems support passing extra arguments on a #! line.
In case of
What about doing it on the systems which *do* support it?
(Which probably covers 99% of the installed base...)
Stephan
Op 5 jun. 2017 11:59 schreef "Greg Ewing" :
> Stephan Houben wrote:
>
>> What about just adding the -I (isolated mode) flag to the #! line of
>>
Stephan Houben wrote:
What about just adding the -I (isolated mode) flag to the #! line of
installed scripts?
Not all unix systems support passing extra arguments on a #! line.
--
Greg
___
Python-ideas mailing list
Python-ideas@python.org
What about just adding the -I (isolated mode) flag to the #! line of
installed scripts?
I was actually surprised this is not already done for the Python scripts in
/use/bin on my Ubuntu box.
Stephan
Op 5 jun. 2017 02:52 schreef "Mike Miller" :
> I'd like to throw
I'd like to throw some cold water on this one, for the same reason I always add
"." to the path in my shell, when some well-meaning soul has removed it. Why?
It's 2017 and I've not shared a machine since the 1980's. I use immutable
containers in the cloud that are not at this particular risk
On Sun, Jun 4, 2017 at 6:51 PM, Guido van Rossum wrote:
> I really don't want people to start using the "from . import foo" idiom
> for their first steps into programming. It seems a reasonable "defensive
> programming" maneuver to put in scripts and apps made by professional
I really don't want people to start using the "from . import foo" idiom for
their first steps into programming. It seems a reasonable "defensive
programming" maneuver to put in scripts and apps made by professional
Python programmers for surprise-free wide distribution, but (like many of
those)
On 4 June 2017 at 10:00, Greg Ewing wrote:
> Is this really much of a security issue? Seems to me that
> for someone to exploit it, they would have to inject a
> malicious .py file alongside one of my script files. If
> they can do that, they can probably do all kinds
I'm not comfortable with the subject title of this thread.
I'm comfortable with the experiences and solutions proposed by Nick.
On Sat, Jun 3, 2017 at 8:16 PM, Greg Ewing
wrote:
> Soni L. wrote:
>
>> How about `import self.thing` (where "self" implies same dir as
Soni L. wrote:
How about `import self.thing` (where "self" implies same dir as the
current .py
That wouldn't provide quite the same functionality, since
currently a module alongside the main py file can be imported
from anywhere, including .py files inside a package.
Also I think it would be
Is this really much of a security issue? Seems to me that
for someone to exploit it, they would have to inject a
malicious .py file alongside one of my script files. If
they can do that, they can probably do all kinds of bad
things directly.
--
Greg
On Jun 3, 2017 2:45 PM, "Chris Angelico" wrote:
On Sun, Jun 4, 2017 at 12:42 AM, Nick Coghlan wrote:
>> But I don't think that running an application from the source without
>> installing it is the most common way to run an application. Most users
>>
On Sun, Jun 4, 2017 at 12:42 AM, Nick Coghlan wrote:
>> But I don't think that running an application from the source without
>> installing it is the most common way to run an application. Most users
>> install applications to use them, no?
>
> Scripts are very frequently run
On 2 June 2017 at 02:30, Victor Stinner wrote:
> Hi,
>
> Perl 5.26 succeeded to remove the current working directory from the
> default include path (our Python sys.path):
>
>
How about `import self.thing` (where "self" implies same dir as the
current .py - if it's a dir-based package, then "self" is that dir) and
`import super.thing` (where "super" implies parent package *locked to
parent dir*. if there isn't any (top level package or main script),
fail-by-default
How about `import self.thing` (where "self" implies same dir as the
current .py - if it's a dir-based package, then "self" is that dir) and
`import super.thing` (where "super" implies parent package *locked to
parent dir*. if there isn't any (top level package or main script),
fail-by-default
On Sat, Jun 3, 2017 at 8:36 PM, Steven D'Aprano wrote:
> On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote:
>
> [...]
>> > I expect that moving '' to the end of sys.path will be a less disruptive
>> > change than removing it.
>>
>> This is true. However, anything
On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote:
[...]
> > I expect that moving '' to the end of sys.path will be a less disruptive
> > change than removing it.
>
> This is true. However, anything that depends on the current behaviour
> (intentionally or otherwise) would be just
On 2 June 2017 at 20:02, Victor Stinner wrote:
> 2017-06-02 9:12 GMT+02:00 Greg Ewing :
>> Why do you want to change it?
>
> To make Python more secure. To prevent untrusted modules hijacking
> stdlib modules on purpose to inject code for
2017-06-02 9:12 GMT+02:00 Greg Ewing :
> Why do you want to change it?
To make Python more secure. To prevent untrusted modules hijacking
stdlib modules on purpose to inject code for example.
Victor
___
Python-ideas mailing
On 1.06.2017 19:46, Chris Angelico wrote:
On Fri, Jun 2, 2017 at 2:30 AM, Victor Stinner wrote:
Perl 5.26 succeeded to remove the current working directory from the
default include path (our Python sys.path):
Victor Stinner wrote:
You are right, it's the script directory that it added to
sys.path and I would like to know if it would be possible to change that?
Why do you want to change it?
--
Greg
___
Python-ideas mailing list
Python-ideas@python.org
On Fri, Jun 2, 2017 at 11:05 AM, Steven D'Aprano wrote:
> On Fri, Jun 02, 2017 at 09:22:16AM +1000, Chris Angelico wrote:
>
>> Ultimately, what I would like is for "import random" to be absolutely
>> dependably going to grab the stdlib "random" module, or at very least,
>>
On Fri, Jun 02, 2017 at 09:22:16AM +1000, Chris Angelico wrote:
> Ultimately, what I would like is for "import random" to be absolutely
> dependably going to grab the stdlib "random" module, or at very least,
> something that someone *deliberately* is shadowing that module with.
> You shouldn't
On Fri, Jun 2, 2017 at 8:58 AM, Victor Stinner wrote:
>> (AIUI, the *current directory* is never on Python's path, but the
> *script directory* is. They're the same thing a lot of the time.)
>
> Oh, it's very common that I run a script from its directory, so yeah script
> (AIUI, the *current directory* is never on Python's path, but the
*script directory* is. They're the same thing a lot of the time.)
Oh, it's very common that I run a script from its directory, so yeah script
directory = current directory on such case. Sorry for the confusion. You
are right,
On Thu, Jun 1, 2017 at 10:30 AM, Victor Stinner
wrote:
> Hi,
>
> Perl 5.26 succeeded to remove the current working directory from the
> default include path (our Python sys.path):
>
>
On Fri, Jun 2, 2017 at 2:30 AM, Victor Stinner wrote:
> Perl 5.26 succeeded to remove the current working directory from the
> default include path (our Python sys.path):
>
>
Hi,
Perl 5.26 succeeded to remove the current working directory from the
default include path (our Python sys.path):
https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-(%22.%22)-from-@INC
Would it technically possible to make this change in
39 matches
Mail list logo