Message 350625 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	qix-
Recipients	Anthony Sottile, Chris Billington, Ivan.Pozdeev, Peter L3, SilentGhost, __Vano, barry, brett.cannon, cheryl.sabella, christian.heimes, eric.smith, eric.snow, ethan smith, ionelmc, jaraco, mhammond, ncoghlan, nedbat, pitrou, qix-, steve.dower, takluyver, terry.reedy, veky, yan12125
Date	2019-08-27.10:13:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1566900825.09.0.687856835044.issue33944@roundup.psfhosted.org>
In-reply-to

Content
-1 This would make `better_exceptions` irreparably un-ergonomic. https://github.com/qix-/better-exceptions .PTH files are commonly used to install development middleware in order to enhance the development and debugging experience. I recognize the need for security, but could we instead focus on improving the security of the existing .PTH system instead of throwing out the baby with the bathwater? The search "pth files python virus\|malicious" on Google returns this issue. Is .PTH a previously exploited vector? This is like saying NPM's `install` scripts are a vector. I'm not going to be running code that I don't at least trust a little. This issue reads like someone had a bad time with some poorly written Python code that was stuck inside a .PTH file, had to debug why it was causing a problem, and came here to cry about it (no offense, Barry). Instead of improving it, the first inclination was to remove it altogether without any regard to its use-cases or the effects it would have on some packages that rely on it. Let's improve it, not kill it.

-1

This would make `better_exceptions` irreparably un-ergonomic.

https://github.com/qix-/better-exceptions

.PTH files are commonly used to install development middleware in order to enhance the development and debugging experience.

I recognize the need for security, but could we instead focus on improving the security of the existing .PTH system instead of throwing out the baby with the bathwater?

The search "pth files python virus|malicious" on Google returns this issue. Is .PTH a previously exploited vector? This is like saying NPM's `install` scripts are a vector. I'm not going to be running code that I don't at least trust a little.

This issue reads like someone had a bad time with some poorly written Python code that was stuck inside a .PTH file, had to debug why it was causing a problem, and came here to cry about it (no offense, Barry).

Instead of improving it, the first inclination was to remove it altogether without any regard to its use-cases or the effects it would have on some packages that rely on it.

Let's improve it, not kill it.

History
Date	User	Action	Args
2019-08-27 10:13:45	qix-	set	recipients: + qix-, mhammond, barry, brett.cannon, terry.reedy, jaraco, ncoghlan, pitrou, eric.smith, christian.heimes, nedbat, ionelmc, SilentGhost, __Vano, eric.snow, takluyver, steve.dower, veky, Ivan.Pozdeev, yan12125, Anthony Sottile, ethan smith, cheryl.sabella, Chris Billington, Peter L3
2019-08-27 10:13:45	qix-	set	messageid: <1566900825.09.0.687856835044.issue33944@roundup.psfhosted.org>
2019-08-27 10:13:45	qix-	link	issue33944 messages
2019-08-27 10:13:44	qix-	create