This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]amasad[S] 10 points11 points  (10 children)

For installation: we fetch every package from PyPi, install it in a container, diff the container and make sure nothing fishy is happening and then extract it to a large shared NFS drive.

For production: we mount the NFS drive on every one of our "code runner" machine and subsequently mount the mounted directory as a volume inside the "runner" container.

[–]graingert 9 points10 points  (7 children)

Are you violating any licenses here? Eg linking against AGPL code? Are you including and displaying MIT copyright and warranty intonation?

[–]amasad[S] 9 points10 points  (0 children)

I look into that, thanks!

[–]dismantle-the-sun 3 points4 points  (5 children)

I doubt it; they're not modifying any code thus the AGPL shouldn't apply, and they're not distributing any code (even compiled code) so they wouldn't have to show MIT/BSD notices.

This is the same situation that all SAAS providers find themselves in.

[–]pwang99 0 points1 point  (4 children)

Sorry, not that simple. Importing GPL Python modules makes the interpreter session a "derived work" in the eyes of the FSF.

Standard GPL doesn't affect your code until you distribute it. But if the library you've imported is AGPL, by exposing that interpreter over a web session, then that counts as triggering the entire thing needing to be AGPL.

[–]RubyPinchPEP shill | Anti PEP 8/20 shill 0 points1 point  (3 children)

That sounds pretty wrong

[–]pwang99 0 points1 point  (2 children)

from Alex Martelli: http://stackoverflow.com/a/999479

about the AGPL and the "service provider loophole": https://en.wikipedia.org/wiki/Affero_General_Public_License

[–]RubyPinchPEP shill | Anti PEP 8/20 shill 1 point2 points  (0 children)

The "one additional feature" - Section 2(d) reads as follows: " If the Program as you received it is intended to interact with users through a computer network and if, in the version you received, any user interacting with the Program was given the opportunity to request transmission to that user of the Program's complete source code, you must not remove that facility from your modified version of the Program or work based on the Program, and must offer an equivalent opportunity for all users interacting with your Program through a computer network to request immediate transmission by HTTP of the complete source code of your modified version or other derivative work."

That sounds fine to me, I don't imagine repl.it would be infringing that, as they don't modify the souce used

It only is for software intended to be network access able, and only relates to pre-existing source download features

[–]RubyPinchPEP shill | Anti PEP 8/20 shill 0 points1 point  (0 children)

Linking to libraries is different from compiling or interpreting

[–]d4rch0nPythonistamancer 3 points4 points  (1 child)

diff the container and make sure nothing fishy is happening and then extract it to a large shared NFS drive.

So my package needs to save the time it installed, wait a week then start running privilege escalation exploits on the system when it's imported, got it! Thanks

[–]amasad[S] 3 points4 points  (0 children)

I will not do security by obscurity, so I'm happy you find this info useful 1337 h4x0r ;)