From kantrn at rpi.edu  Mon May 19 08:56:26 2008
From: kantrn at rpi.edu (Noah Kantrowitz)
Date: Mon, 19 May 2008 11:56:26 -0400
Subject: [cheesecake-users] Safety
Message-ID: <12E07E96-456A-4709-B740-3C5BA6CFCB87@rpi.edu>

Does cheesecake_index ever actually execute any code from the package  
it is scoring? I want to know if it would be safe to run it against  
completely unknown (and therefore potentially hostile) code.

--Noah


From grig.gheorghiu at gmail.com  Mon May 19 09:04:31 2008
From: grig.gheorghiu at gmail.com (Grig Gheorghiu)
Date: Mon, 19 May 2008 09:04:31 -0700
Subject: [cheesecake-users] Safety
In-Reply-To: <12E07E96-456A-4709-B740-3C5BA6CFCB87@rpi.edu>
References: <12E07E96-456A-4709-B740-3C5BA6CFCB87@rpi.edu>
Message-ID: <3f09d5a00805190904x5669c958obbb5faf8f65e012@mail.gmail.com>

On Mon, May 19, 2008 at 8:56 AM, Noah Kantrowitz <kantrn at rpi.edu> wrote:
> Does cheesecake_index ever actually execute any code from the package
> it is scoring? I want to know if it would be safe to run it against
> completely unknown (and therefore potentially hostile) code.
>

Noah -- cheesecake_index doesn't execute any code. Everything is
inspected statically. Michal and I were planning on enhancing
Cheesecake with the capability of executing code (such as unit tests)
in a sandboxed environment, but that's for Cheesecake 3k :-)

Grig


From constant.beta at gmail.com  Mon May 19 12:09:44 2008
From: constant.beta at gmail.com (=?ISO-8859-2?Q?Micha=B3_Kwiatkowski?=)
Date: Mon, 19 May 2008 21:09:44 +0200
Subject: [cheesecake-users] Safety
In-Reply-To: <3f09d5a00805190904x5669c958obbb5faf8f65e012@mail.gmail.com>
References: <12E07E96-456A-4709-B740-3C5BA6CFCB87@rpi.edu>
	<3f09d5a00805190904x5669c958obbb5faf8f65e012@mail.gmail.com>
Message-ID: <5e8b0f6b0805191209u69146fc3wc926b5b781e7e4c3@mail.gmail.com>

On Mon, May 19, 2008 at 6:04 PM, Grig Gheorghiu
<grig.gheorghiu at gmail.com> wrote:
> On Mon, May 19, 2008 at 8:56 AM, Noah Kantrowitz <kantrn at rpi.edu> wrote:
>> Does cheesecake_index ever actually execute any code from the package
>> it is scoring? I want to know if it would be safe to run it against
>> completely unknown (and therefore potentially hostile) code.
>
> Noah -- cheesecake_index doesn't execute any code. Everything is
> inspected statically. Michal and I were planning on enhancing
> Cheesecake with the capability of executing code (such as unit tests)
> in a sandboxed environment, but that's for Cheesecake 3k :-)

That's not exactly true. During package installation setup.py script
is run, which in turn can execute any other Python code. There is
however a way to avoid that. Use --static option (or -t) to skip
package installation step and you should be safe.

Cheers,
mk