<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#330033">
<div class="moz-cite-prefix">On 11/12/2013 4:11 PM, Steven D'Aprano
wrote:<br>
</div>
<blockquote cite="mid:20131113001121.GG2085@ando" type="cite">
<pre wrap="">On Wed, Nov 13, 2013 at 12:58:42AM +0100, Victor Stinner wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap=""><span class="moz-txt-citetags">> </span>I now gave up on sandboxing Python. I just would like to warn other
<span class="moz-txt-citetags">> </span>core developers that trying to put a sandbox in Python is not a good
<span class="moz-txt-citetags">> </span>idea <span class="moz-smiley-s1" title=":-)"><span>:-)</span></span>
</pre>
</blockquote>
<pre wrap="">Do you mean CPython?
Do you think it would be productive to create an independent Python
compiler, designed with sandboxing in mind from the beginning?</pre>
</blockquote>
<br>
In reading this thread, which I took as an on-topic dismissal of an
integrated CPython sandbox, I also wondered if it was a CPython
implementation issue, or a language design issue.<br>
<br>
If it is an implementation issue, then perhaps a different
implementation would help. Or perhaps a "safe compiler".<br>
<br>
If it is a language design issue, then a different implementation
wouldn't help, it would require a new language, or a restricted
subset. I'm not sure whether some of the onerous sounding
restrictions result from language or implementation issues; some of
them certainly sounded like implementation issues.<br>
<br>
A restricted subset, compiled by a validating compiler, might still
be a useful language, even if the execution speed has to be reduced
by a validating runtime.<br>
<br>
Perhaps exception handling for exceptions hit inside a sandbox need
to stop at the sandbox boundary. That is, exceptions within the
sandbox stay within the sandbox, and exceptions generated due to
sandbox calls to the implementation need to stay outside the
sandbox, and then sanitized and limited information passed back in
to the sandbox.<br>
<br>
Perhaps a different/restricted set of builtins must be provided
within the sandbox.<br>
<br>
These ideas may perhaps still allow a CPython sandbox to be written,
or may only help a new implementation.<br>
<br>
Is there technology in the smartphone OSes that could be applied?
iOS seems to not even provide a file system to its apps, and there
is limited sharing of data from one app to the next. Android
provides an explicit subset of system services to its apps.<br>
<br>
Thanks, Victor, for the update on your sandbox efforts. I was hoping
you would be successful, and then I was wondering if you had
abandoned the effort, and now I know what the current status is.<br>
</body>
</html>