On Wed, May 11, 2022 at 10:24:17AM -0400, Robbie Harwood wrote:
Ben Cotton <bcotton(a)redhat.com> writes:
> :Don’t prepend a potentially unsafe path to `sys.path`:
If this is a safety/security issue, why not just make it the default for
python itself?
Yeah, I agree. I think Python upstream should own up to the fact that
adding '.' to sys.path was always a mistake.
Just ask a random user: is
echo 'import sys; print(sys.version)' >/tmp/test.py
python /tmp/test.py
safe to execute on a multi-user system?
Zbyszek
P.S. If we can't get the proper fix, this Change proposal is better
than nothing. So I'll vote +1 on the proposal. But I think we can do
better.