Message 337351 - Python tracker (original) (raw)

I did my best to classify those on pypi that were using .pth files. My initial search had quite a few false positives (and now that I look at it, completely missed .zip-based source distributions so there's likely some false negatives as well)

Here's the summary of the categorizations:

$ cut -d, -f2 < data.csv | sort | uniq -c 2 backport 4 coverage 4 debugging 2 demo 9 encoding 7 except-hook 58 false-positive 6 import-hook 20 module-layout 20 monkeypatch

I realized about halfway through that "monkeypatch" was probably too broad of a category but continued with that through all of them, the monkeypatch category contains a few classes of things: fixing third party libraries, disabling ssl (yikes!), adding some "features" to builtins / stdlib modules -- which unfortunately I didn't really classify properly.

There was a single .pth file that I deemed "malicious" since it completely breaks the subprocess module (subprocess-run) but other than that they all seemed ~mostly not the worst.

A lot of the module-layout ones could be solved with things provided directly by setuptools, or just be rearranging their distribution's files.

The raw data is available in csv: https://github.com/asottile/pth-file-investigation/blob/master/data.csv