Package archive misses permissions
Bug #1243202 reported by
Bruno
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dateutil |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The distribution available on PyPI have all files permissions set to 600 and directories to 700.
Distributions patch this themselves when packaging python-dateutil:
Modern installers normalize permissions (pip does) but easy_install or setup.py install doesn't. Meaning tools relying on easy_install or setup.py (such as FPM) may end up with insufficient permissions to run the code as a non-root user.
Would it be possible to have the correct permissions in the tarball directly? Adding a+r and g+r seems reasonable.
To post a comment you must log in.
This only concerns non-python files:
$ find . ! -perm -a+r zoneinfo/ zoneinfo- -latest. tar.gz dateutil- 2.1.egg- info/not- zip-safe dateutil- 2.1.egg- info/PKG- INFO dateutil- 2.1.egg- info/top_ level.txt dateutil- 2.1.egg- info/SOURCES. txt dateutil- 2.1.egg- info/dependency _links. txt dateutil- 2.1.egg- info/requires. txt
./dateutil/
./python_
./python_
./python_
./python_
./python_
./python_
But some of these are needed at runtime py pkg_resources it seems.