From 77eafd03987a5e788bbc1dc49c4f3e16bb35e267 Mon Sep 17 00:00:00 2001 From: Damian Shaw Date: Tue, 14 Oct 2025 21:29:20 -0400 Subject: [PATCH 1/3] PEP 810: Clarify security implications --- peps/pep-0810.rst | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/peps/pep-0810.rst b/peps/pep-0810.rst index cf9c156bf1b..65f127acd22 100644 --- a/peps/pep-0810.rst +++ b/peps/pep-0810.rst @@ -924,11 +924,15 @@ display lazy proxies before first use and the real objects thereafter. Security Implications ===================== -There are no known security vulnerabilities introduced by lazy imports. -Security-sensitive tools that need to ensure all imports are evaluated eagerly -can use :func:`!sys.set_lazy_imports` with ``"none"`` to force -eager evaluation, or use :func:`!sys.set_lazy_imports_filter` for fine-grained -control. +Tools that install packages while performing imports from that the same +environment should ensure all modules are imported eagerly, or reified, before +the installation step, to avoid newly installed distributions from shadowing +them. + +Such tools can use can use :func:`!sys.set_lazy_imports` with ``"none"`` to +force eager evaluation, or use :func:`!sys.set_lazy_imports_filter` for +fine-grained control. + How to Teach This ================= From 94c289e5e4f99a168680681136bf7120b2b6f3a5 Mon Sep 17 00:00:00 2001 From: Damian Shaw Date: Wed, 15 Oct 2025 00:12:15 -0400 Subject: [PATCH 2/3] Update peps/pep-0810.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- peps/pep-0810.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0810.rst b/peps/pep-0810.rst index 65f127acd22..490f51c07ea 100644 --- a/peps/pep-0810.rst +++ b/peps/pep-0810.rst @@ -929,7 +929,7 @@ environment should ensure all modules are imported eagerly, or reified, before the installation step, to avoid newly installed distributions from shadowing them. -Such tools can use can use :func:`!sys.set_lazy_imports` with ``"none"`` to +Such tools can use :func:`!sys.set_lazy_imports` with ``"none"`` to force eager evaluation, or use :func:`!sys.set_lazy_imports_filter` for fine-grained control. From 46431881b29866523dbd0994bbf3f9f4a1b38103 Mon Sep 17 00:00:00 2001 From: Damian Shaw Date: Wed, 15 Oct 2025 00:20:26 -0400 Subject: [PATCH 3/3] Update peps/pep-0810.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- peps/pep-0810.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0810.rst b/peps/pep-0810.rst index 490f51c07ea..56d6eacdd98 100644 --- a/peps/pep-0810.rst +++ b/peps/pep-0810.rst @@ -930,7 +930,7 @@ the installation step, to avoid newly installed distributions from shadowing them. Such tools can use :func:`!sys.set_lazy_imports` with ``"none"`` to -force eager evaluation, or use :func:`!sys.set_lazy_imports_filter` for +force eager evaluation, or provide a :func:`!sys.set_lazy_imports_filter` function for fine-grained control.