Message337351
I did my best to classify those on pypi that were using `.pth` files. My initial search had quite a few false positives (and now that I look at it, completely missed `.zip`-based source distributions so there's likely some false negatives as well)
Here's the summary of the categorizations:
$ cut -d, -f2 < data.csv | sort | uniq -c
2 backport
4 coverage
4 debugging
2 demo
9 encoding
7 except-hook
58 false-positive
6 import-hook
20 module-layout
20 monkeypatch
I realized about halfway through that "monkeypatch" was probably too broad of a category but continued with that through all of them, the monkeypatch category contains a few classes of things: fixing third party libraries, disabling ssl (yikes!), adding some "features" to builtins / stdlib modules -- which unfortunately I didn't really classify properly.
There was a single .pth file that I deemed "malicious" since it completely breaks the `subprocess` module (`subprocess-run`) but other than that they all seemed ~mostly not the worst.
A lot of the `module-layout` ones could be solved with things provided directly by `setuptools`, or just be rearranging their distribution's files.
The raw data is available in csv: https://github.com/asottile/pth-file-investigation/blob/master/data.csv |
|
Date |
User |
Action |
Args |
2019-03-07 01:41:51 | Anthony Sottile | set | recipients:
+ Anthony Sottile, mhammond, barry, brett.cannon, terry.reedy, jaraco, ncoghlan, pitrou, eric.smith, christian.heimes, ionelmc, SilentGhost, __Vano, eric.snow, takluyver, steve.dower, veky, Ivan.Pozdeev, ethan smith, cheryl.sabella, Chris Billington, Peter L3 |
2019-03-07 01:41:51 | Anthony Sottile | set | messageid: <1551922911.68.0.160680444043.issue33944@roundup.psfhosted.org> |
2019-03-07 01:41:51 | Anthony Sottile | link | issue33944 messages |
2019-03-07 01:41:51 | Anthony Sottile | create | |
|