This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author lemburg
Recipients brett.cannon, eric.snow, lemburg, minrk, ncoghlan, r.david.murray, tdsmith
Date 2015-06-29.20:27:16
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In-reply-to <>
On 29.06.2015 21:30, Min RK wrote:
> .pth files currently allow execution of arbitrary code, triggered by lines starting with `import`. This is a rarely understood, and often misbehaving feature. easy_install has used this feature to ensure that its packages are highest priority (even higher than stdlib). This is one of the unfortunate behaviors that pip undoes from easy_install, in part due to the problems it can cause. There is currently a proposal in setuptools to stop using this, even for easy_install.
> The attached patch removes support for executing code in .pth files, throwing an ImportWarning if any such attempts at import are seen.

Such a change will require a PEP, since it's an essential feature
that has been documented for a very long time:

and is used by a lot of existing setuptools installations, which
would break if Python were to remove support for this.

The PEP would also need to address the reasons for removing the
feature, e.g. explain possible attack vectors, confusion caused
by this, etc.

You can then reference this patch in the PEP.

Marc-Andre Lemburg
Date User Action Args
2015-06-29 20:27:16lemburgsetrecipients: + lemburg, brett.cannon, ncoghlan, r.david.murray, eric.snow, minrk, tdsmith
2015-06-29 20:27:16lemburglinkissue24534 messages
2015-06-29 20:27:16lemburgcreate