[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-ideas] Enhancing Zipapp


Abdur-Rahmaan Janhangeer
pythonmembers.club <http://www.pythonmembers.club/> | github

On Mon, Jan 6, 2020 at 11:53 PM Chris Angelico <rosuav at gmail.com> wrote:

> On Tue, Jan 7, 2020 at 6:37 AM Abdur-Rahmaan Janhangeer
> <arj.python at gmail.com> wrote:
> Where is this directory? What if it already contains content?

It's sometimes typical for extracted zips to be in temporary folders. If we
are including
wheels maybe we can have a permanent folder for extracting the wheels and
interpreter looks for those in it

Are you proposing that *any* zipapp archive is capable of downloading
> arbitrary code from the internet and then running it, without any
> prompting from the user?

Exactly the opposite, the archive bundler includes all that have to be
included so that
the app runner does not have to do it. Proposing to include pa

If we are talking about the scenario where a malware already lying in wait
in the
packages folder then it's the same as malware entering the interpreter's

If we are talking about malicious code in a package that gets called when
running the zipapp
without prompt, then that's the same issue with all executables (like apps
built with pyinstaller).
If ever we want to mitigate that risk, it depends if we trust the sender.
That's also where the
proposed security features come into play.