GNU bug report logs - #70440
[PATCH] Use -P switch when calling 'python-interpreter'

Previous Next

Package: emacs;

Reported by: Augusto Stoffel <arstoffel <at> gmail.com>

Date: Wed, 17 Apr 2024 18:24:04 UTC

Severity: normal

Tags: patch

Full log

View this message in rfc822 format

From: Augusto Stoffel <arstoffel <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 70440 <at> debbugs.gnu.org, kobarity <at> gmail.com
Subject: bug#70440: [PATCH] Use -P switch when calling 'python-interpreter'
Date: Fri, 19 Apr 2024 17:55:51 +0200

On Fri, 19 Apr 2024 at 18:40, Eli Zaretskii wrote:

> I'm not sure I understand: if the user doesn't have a version of
> Python which supports this option, what else can we do?  Refuse to
> use such a Python?  That doesn't seem to be an option we can use.

Why not?  Let me make sure we're on the same page that this affects only
couple of handy but by no means essential commands that add or remove
import statements.  Nobody _needs_ this to write Python code.

> Yes, this is a security hole, but it's the user's security hole, not
> ours, if the user doesn't install the safer Python.

I see it as _my_ security hole, since it was me who added a line to
Emacs that calls 'python -c' in a random directory without removing the
current directory from the module load path (as much as a find it a bad
design choice in Python to do that by default.)
This bug report was last modified 1 year and 59 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.