Author Ethan Smith
Recipients Ethan Smith, barry, brett.cannon, christian.heimes, eric.smith, eric.snow, takluyver
Date 2018-06-22.22:19:24
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1529705964.91.0.56676864532.issue33944@psf.upfronthosting.co.za>
In-reply-to
Content
I am in favor of symlinks no longer being able to execute arbitrary code, however, I do think having them add to the path cannot be killed in two releases. Here is why:

1. Windows support for symlinks is still not automatic. In the creators update of Windows 10 (released March 2017), CreateSymbolicLink added a dwflag SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE. This requires the user to be in developer mode to work. CPython currently doesn't use this flag. (I will open an issue to add that in a moment). I worry that giving people little time to update will be troublesome.

2. All editable installs everywhere (AFAIK) and setuptools eggs (still somewhat common) use easy-install.pth to list where they are. I think breaking editable installs is a bad idea, as there is no clear solution for this. Also setuptools has a fair amount of work to do before it can replace egg installs.

So I think removing adding to the path will require much more thought and break a lot more code than removing arbitrary code execution.
History
Date User Action Args
2018-06-22 22:19:24Ethan Smithsetrecipients: + Ethan Smith, barry, brett.cannon, eric.smith, christian.heimes, eric.snow, takluyver
2018-06-22 22:19:24Ethan Smithsetmessageid: <1529705964.91.0.56676864532.issue33944@psf.upfronthosting.co.za>
2018-06-22 22:19:24Ethan Smithlinkissue33944 messages
2018-06-22 22:19:24Ethan Smithcreate