On Apr 23, 2015, at 04:18 PM, Enrico Zini wrote: >Since tox uses pip, which installs software to be run as my own user >skipping the usual Debian trust chain, does it give any guarantee that I >won't be running untrusted, unverified code as my user in my machine? In the tox.ini, you should be able to set sitepackages=True and indexserver to point to a nonexistent url (e.g. default=http://missing.example.com). That should force tox to use only system installed packages, avoid pip installing from PyPI, and of course fail if one or more aren't available. You could probably also use the d/rules and pybuild trick of setting http_proxy and https_proxy to the localhost discard port, but that can break some tests (e.g. I have tests that connect to a local test HTTP/S server). Cheers, -Barry
Attachment:
pgpc0DjPxe1As.pgp
Description: OpenPGP digital signature