Message 337351 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Anthony Sottile
Recipients	Anthony Sottile, Chris Billington, Ivan.Pozdeev, Peter L3, SilentGhost, __Vano, barry, brett.cannon, cheryl.sabella, christian.heimes, eric.smith, eric.snow, ethan smith, ionelmc, jaraco, mhammond, ncoghlan, pitrou, steve.dower, takluyver, terry.reedy, veky
Date	2019-03-07.01:41:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1551922911.68.0.160680444043.issue33944@roundup.psfhosted.org>
In-reply-to

Content
I did my best to classify those on pypi that were using `.pth` files. My initial search had quite a few false positives (and now that I look at it, completely missed `.zip`-based source distributions so there's likely some false negatives as well) Here's the summary of the categorizations: $ cut -d, -f2 < data.csv \| sort \| uniq -c 2 backport 4 coverage 4 debugging 2 demo 9 encoding 7 except-hook 58 false-positive 6 import-hook 20 module-layout 20 monkeypatch I realized about halfway through that "monkeypatch" was probably too broad of a category but continued with that through all of them, the monkeypatch category contains a few classes of things: fixing third party libraries, disabling ssl (yikes!), adding some "features" to builtins / stdlib modules -- which unfortunately I didn't really classify properly. There was a single .pth file that I deemed "malicious" since it completely breaks the `subprocess` module (`subprocess-run`) but other than that they all seemed ~mostly not the worst. A lot of the `module-layout` ones could be solved with things provided directly by `setuptools`, or just be rearranging their distribution's files. The raw data is available in csv: https://github.com/asottile/pth-file-investigation/blob/master/data.csv

I did my best to classify those on pypi that were using `.pth` files.  My initial search had quite a few false positives (and now that I look at it, completely missed `.zip`-based source distributions so there's likely some false negatives as well)

Here's the summary of the categorizations:

$ cut -d, -f2 < data.csv | sort | uniq -c
      2 backport
      4 coverage
      4 debugging
      2 demo
      9 encoding
      7 except-hook
     58 false-positive
      6 import-hook
     20 module-layout
     20 monkeypatch


I realized about halfway through that "monkeypatch" was probably too broad of a category but continued with that through all of them, the monkeypatch category contains a few classes of things: fixing third party libraries, disabling ssl (yikes!), adding some "features" to builtins / stdlib modules -- which unfortunately I didn't really classify properly.

There was a single .pth file that I deemed "malicious" since it completely breaks the `subprocess` module (`subprocess-run`) but other than that they all seemed ~mostly not the worst.

A lot of the `module-layout` ones could be solved with things provided directly by `setuptools`, or just be rearranging their distribution's files.

The raw data is available in csv: https://github.com/asottile/pth-file-investigation/blob/master/data.csv

History
Date	User	Action	Args
2019-03-07 01:41:51	Anthony Sottile	set	recipients: + Anthony Sottile, mhammond, barry, brett.cannon, terry.reedy, jaraco, ncoghlan, pitrou, eric.smith, christian.heimes, ionelmc, SilentGhost, __Vano, eric.snow, takluyver, steve.dower, veky, Ivan.Pozdeev, ethan smith, cheryl.sabella, Chris Billington, Peter L3
2019-03-07 01:41:51	Anthony Sottile	set	messageid: <1551922911.68.0.160680444043.issue33944@roundup.psfhosted.org>
2019-03-07 01:41:51	Anthony Sottile	link	issue33944 messages
2019-03-07 01:41:51	Anthony Sottile	create