Author njs
Recipients jwilk, ncoghlan, njs, ztane
Date 2018-03-18.06:19:41
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1521353982.38.0.467229070634.issue33053@psf.upfronthosting.co.za>
In-reply-to
Content
Whoa, wait, what?

I agree that the original post is not as diplomatic as it could be, but my reaction to learning about this just now is also shock and confusion, so I guess I can sympathize with the OP a bit...

The reason I'm surprised is that -- while this probably wasn't fully anticipated when -m was designed -- it's turned out to be a bit of a meme to replace calls like 'pip ...' with 'python -m pip ...', or 'virtualenv ...' with 'python -m virtualenv ...', etc. I thought these were generally pretty much equivalent. I definitely did *not* know that running 'python -m pip' could lead to executing arbitrary code from the cwd, and I'm sure I've run it inside e.g. random git checkouts. If someone had tried to spearphish me with this they would totally have succeeded. (I hope they haven't?)

If you want to run a file in the current directory, is there any advantage to doing 'python -m myscript' instead of 'python myscript.py'? Could we declare that the latter is the One Obvious Way and remove support for the former entirely?
History
Date User Action Args
2018-03-18 06:19:42njssetrecipients: + njs, ncoghlan, jwilk, ztane
2018-03-18 06:19:42njssetmessageid: <1521353982.38.0.467229070634.issue33053@psf.upfronthosting.co.za>
2018-03-18 06:19:42njslinkissue33053 messages
2018-03-18 06:19:41njscreate