Who comes up with this kind of #API?
> If the destination is on the current filesystem, then os.rename() is used. Otherwise, src is copied (using shutil.copy2()) to dst and then removed.
Except that shutil.copy2 does not copy ownership info on some OSes. So depending on your OS and mountpoints, you may end up with a security hole, because of lost ownership info.
TIL: sh, in shutil, stands for shitty. Same applies to shlex.
A Mastodon instance for info/cyber security-minded people.