buildout should offer a global egg unzip flag
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zopeproject |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I've been trying lately to identify places where the Zope 2 server needs write access that might be insecure. One spot is the $HOME/.egg-info directory used to unpack zipped egg files. I realize that it's Yython doing this, and not Zope itself, but it's still a security problem if the server process needs write access to a directory that contains its own code.
I've solved this problem in the past by using easy_install's --always-unzip flag when fetching eggs. I'd like to be able to do the same thing via buildout.
Note that zc.recipe.egg allows you to set an "unzip = true" flag. It would be great if an option like this was available globally in buildout so that "eggs = " sections in the top-level buildout would always be unzipped.
I have refiled this in the buildout bug tracker. Sorry for dropping it in the wrong spot!