Jeremy Hylton wrote:
I think both techniques achieve the same end, but with different limitations. I prefer the proxy approach because it is more self contained. The rexec approach requires that all developers working in the core on introspection features be aware of security issues. The security kernel ends up being most of the core interpreter -- anything that can introspection on objects.
I think that there is an important corrolary. Changes to the security policy are very hard to make. For example, if we change our mind about what should be safe or not: we have many places to make the change, we have lot's of tests to redo. people have to reinstall or rebuild Python to get the change. With proxies, the update is provides as fairly small and self-contained library update.