Skip to content

Remove unset HISTFILE from post install script #25082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Remove unset HISTFILE from post install script #25082

wants to merge 2 commits into from

Conversation

@remisalmon
Copy link
Contributor

Description of Changes

  • Wrote at least one-line docstrings (for any new functions)
  • Added unit test(s) covering the changes (if testable)
  • Included a screenshot or animation (if affecting the UI, see Licecap)

This is removing all unset HISTFILE shell commands: when I update spyder and the post install script runs this triggers a malicious script alerts in crowdstrike (www.crowdstrike.com) and many questions from my security team.

Unsetting HISTFILE is not necessary to update sypder, so I am proposing to remove those.

Doc, for bash: https://www.gnu.org/software/bash/manual/bash.html#index-HISTFILE

Issue(s) Resolved

See above.

Affirmation

By submitting this Pull Request or typing my (user)name below,
I affirm the Developer Certificate of Origin
with respect to all commits and content included in this PR,
and understand I am releasing the same under Spyder's MIT (Expat) license.

I certify the above statement is true and correct: remisalmon

@ccordoba12
Copy link
Member

Hey @remisalmon, thanks for your contribution. You said:

Unsetting HISTFILE is not necessary to update sypder, so I am proposing to remove those.

Yes, it is (otherwise we wouldn't have used it). It's necessary to avoid adding shell commands to users bash/zsh history, which is really awkward, both when doing updates and getting environment variables to pass them to the IPython console and Python path manager.

So, I'm afraid you'll have to find another way to work around the issue you're seeing with your antivirus(?) software.

@remisalmon
Copy link
Contributor Author

Yes, it is (otherwise we wouldn't have used it). It's necessary to avoid adding shell commands to users bash/zsh history, which is really awkward, both when doing updates and getting environment variables to pass them to the IPython console and Python path manager.

I mean it is not strictly necessary but I agree with that.

So, I'm afraid you'll have to find another way to work around the issue you're seeing with your antivirus(?) software.

I did, let me know if this looks better (I reverted the changes to spyder/utils/environ.py, and I think only the post install script is the issue and does not need to run interactively?): e24eee9

This issue is not specific to myself but anyone using spyder on a machine where https://en.wikipedia.org/wiki/CrowdStrike is installed, which may be common, unfortunately.

Here is some more why: https://attack.mitre.org/techniques/T1562/003/

@remisalmon remisalmon changed the title Remove unset HISTFILE from shell scripts Remove unset HISTFILE from post install script Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@remisalmon @ccordoba12