Hi, Le 22/11/2011 20:59, Zbigniew Jędrzejewski-Szmek a écrit : > On 11/22/2011 04:38 PM, Mathieu Malaterre wrote: >> [CC me please] >> [...] > This is a very unfortunate interaction between Python semantics (prepend > realpath of script to sys.path) and the Debian way of installing modules > (symlink farm between Python versions). Nevertheless, I think that > Python is wrong, and Debian is right. What Python does means that it is > not possible to run a Python script from /tmp or any other directory > writeable by other users securely. Even if this is by design, it is not > advertised well (or maybe even at all?) and is thus a big security hole.
Could you request a doc edition on bugs.python.org? Thanks. You’ll likely get feedback from Nick Coghlan, one of the core developers most knowledgeable about the import system. > You can wait for Python 3.2 and the PEP 3149 (ABI version tagged .so > files) which makes the Debian-style symlinks farms unnecessary (just > joking :). Are you really joking? I thought that PEP 3147 and PEP 3149 were especially designed to help Debian and Ubuntu get rid of their symlinks farms. Regards -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ecd1d31.7080...@netwok.org
