[cheesecake-users] Safety
Michał Kwiatkowski
constant.beta at gmail.com
Mon May 19 12:09:44 PDT 2008
On Mon, May 19, 2008 at 6:04 PM, Grig Gheorghiu
<grig.gheorghiu at gmail.com> wrote:
> On Mon, May 19, 2008 at 8:56 AM, Noah Kantrowitz <kantrn at rpi.edu> wrote:
>> Does cheesecake_index ever actually execute any code from the package
>> it is scoring? I want to know if it would be safe to run it against
>> completely unknown (and therefore potentially hostile) code.
>
> Noah -- cheesecake_index doesn't execute any code. Everything is
> inspected statically. Michal and I were planning on enhancing
> Cheesecake with the capability of executing code (such as unit tests)
> in a sandboxed environment, but that's for Cheesecake 3k :-)
That's not exactly true. During package installation setup.py script
is run, which in turn can execute any other Python code. There is
however a way to avoid that. Use --static option (or -t) to skip
package installation step and you should be safe.
Cheers,
mk
More information about the cheesecake-users
mailing list