|
|
|
@@ -33,4 +33,4 @@ Security |
|
|
|
* Secure python import: partial complete, see [casimport] |
|
|
|
Currently there isn't a way to ensure that an end user gets the same code that the author tested/wrote against. Or that the code is by the same author as the import. See things like leftpad, or handing off a module to another author that ends up pushing malware into the module. I'd like to see a cryptographically signed way to import python modules and code. This is something like Content addressed Code. The idea is to support something like `from <hash of library or author's key> import module`. This will verify the module is signed by the author, or the module exactly matches the hash of the library. This could make it easier to import code from another project. Say they properly put a useful function in it's own file, you could do: `from <hash of py file> import function`, and the function would be imported as the database would contain a mapping between the hash of the py file, and where to get it. As the hash would be strongly tied, there'd be no issues w/ injecting malicious code. |
|
|
|
|
|
|
|
[casimport] https://www.funkthat.com/gitea/jmg/casimport |
|
|
|
[casimport]: https://www.funkthat.com/gitea/jmg/casimport |
