|
|
|
|
|
|
by amiga386
27 days ago
|
|
|
That appears to be an exploitable feature of the language, not the package manager per se. We could then add the philosophical question of asking what's the difference between: 1. Adding malicious code to a package's .pth file that's evaluated automatically on every python invocation 2. Adding malicious code to the package itself that's evaluated automatically on every python invocation _that uses that package_ Packaging systems that don't run arbitrary code when you install a package are more trustworthy than ones that do, but there's still the essential trust you have to place in all code you're installing, directly and indirectly. |
|
|