buildout should offer a global egg unzip flag
Bug #181316 reported by
Steve McMahon
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| zopeproject |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I've been trying lately to identify places where the Zope 2 server needs write access that might be insecure. One spot is the $HOME/.egg-info directory used to unpack zipped egg files. I realize that it's Yython doing this, and not Zope itself, but it's still a security problem if the server process needs write access to a directory that contains its own code.
I've solved this problem in the past by using easy_install's --always-unzip flag when fetching eggs. I'd like to be able to do the same thing via buildout.
Note that zc.recipe.egg allows you to set an "unzip = true" flag. It would be great if an option like this was available globally in buildout so that "eggs = " sections in the top-level buildout would always be unzipped.
Revision history for this message
| Steve McMahon (stevemcmahon) wrote | #1 |
| Changed in zopeproject: | |
| status: | New → Invalid |
To post a comment you must log in.
I have refiled this in the buildout bug tracker. Sorry for dropping it in the wrong spot!