[16:30:51] <aclark> yeah it's terrible, but the status quo
[16:33:26] <deepy> three lines added, everything except for one thing shows up now
[16:33:57] <wiredfool> aclark: what do you think of #394
[16:34:01] <deepy> Can't remember why I needed Pillow in the first place anylonger
[16:34:23] <wiredfool> deepy: it'll come back to you
[16:36:40] <aclark> wiredfool: are you worried that it's not harmless?
[16:37:44] <wiredfool> aclark: yeah. the command is basically passed straight through to os.system
[16:41:20] <wiredfool> I'm not sure what security guarantees we're actually following, cause someone who can write/insert python code can monkey patch something in.
[16:41:44] <wiredfool> but something that takes an arbitrary string and executes it seems that much worse.
[16:48:12] <aclark> wiredfool: if that's what it does then yes I'd probably not merge that PR and fix the other places we are doing that
[16:48:31] <wiredfool> The other places we're passing through a filename.
[16:48:51] <wiredfool> I haven't checked to see if it's enforced that we've generated it with something like tempnam
[16:49:26] <wiredfool> I'm thinking of going through the other two places we do os.system calls and making sure that they're safe or removing them.
[16:51:11] <aclark> wiredfool: +1, sounds like a hack waiting to happen
[16:52:11] <wiredfool> I think for pr 394, adding the bits that make it easier to specify a command are good, but require that anyone writing the command do the class and the registration, like we do with image plugins