GitLab

bin/ooni{deckgen,probe,report,resources} currently hacks sys.path to add the current working directory. I am guessing this is done so developers can run bin/ooniprobe from a source checkout, and have python still able to find the ooni python modules.

However, this is a security hole if ooniprobe has extra capabilities (e.g. in the setuid wrapper I'm writing, so that ooni itself doesn't have to run as root) - the user can add their own ./ooni/etc fake modules, which will run with these extra capabilities.

It's also not a clean design to add development-specific hacks to production deployed code. For example in flashproxy, we have a similar problem and we solve it differently: https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/facilitator/HACKING

or devs should do exactly what is done in production which is... run the program in a docker image