Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 12-Dec-2025 00:20:12 JST Haelwenn /элвэн/ :triskell:
   @Eldeberen les venv ça protège aussi des sudo dans le setup.py et installation de catgirls dans la home? :D
   
   https://moyix.blogspot.com/2022/09/someones-been-messing-with-my-subnormals.html
2. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 12-Nov-2025 04:51:04 JST Haelwenn /элвэн/ :triskell:

   in reply to

   @phnt @sjvn @wolf480pl At least that comes from PyPI, there's also some horrors which downloads blobs in the setup.py or during runtime.

3. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-Oct-2025 01:57:37 JST Haelwenn /элвэн/ :triskell:
   @ariadne @js Yeah, so RCE *vector* but not a straight up RCE.
   Can seem pedantic but I think it's a very different thing if you can extract, possibly make some checks and then execute, or "if you extract you risk executing malware".
   
   (Although reminds me that pip is stuck ti extracting & executing setup.py but that's why I don't use it, it's architecturally unsafe)
4. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 29-Aug-2025 22:07:51 JST Haelwenn /элвэн/ :triskell:
   @ska @hipsterelectron And pip is a pretty bad package manager… at least as long as setup.py exists (still used in a *lot* of places)
   https://github.com/pypa/pip/issues/1884
5. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 02-May-2025 17:14:25 JST Haelwenn /элвэн/ :triskell:
   @alex True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.
   Or how some tools don't allow to verify first, like pip always runs setup.py: https://github.com/pypa/pip/issues/1884
   
   Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).
   
   ---
   
   I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.
   
   It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.
6. Embed this notice
   Cassandra is only carbon now (xgranade@wandering.shop)'s status on Wednesday, 11-Dec-2024 07:42:35 JST Cassandra is only carbon now

   @SnoopJ @glyph To be sure, I'm glad setup.py is there as an escape hatch for things that declarative setups can't represent. There's still a lot of libraries out there that could absolutely be pyproject.tomls and... aren't.