Comment 2 for bug 1514183

Hi Bernd - Thanks for the bug report! While I think that this is something that should be fixed upstream, I don't feel like it is a security issue.

By running `python setup.py ...`, you're already trusting that setup.py is not malicious. It could execute xmessage directly.

Do you know if there are any other ways to trigger the problematic popen() call that doesn't require executing the Python script that has the malicious program name?

Have you reported this issue to upstream Python?