[pypy-dev] New - untrusted code

holger krekel holger at merlinux.eu
Wed Nov 11 18:17:06 CET 2009

Hello Victor, 

On Wed, Nov 11, 2009 at 11:06 -0500, Victor Williamson wrote:
> Hello Pypy dev,
> I am researching ways to allow applications to safely import untrusted
> code in Python without having to run the malicious code in its own
> process; Pypy may be a good prototyping environment. I want to
> verify if any work either as an extension or as interpreter changes has
> been done to handle untrusted imports in Pypy.

cool.  Have you read http://codespeak.net/pypy/dist/pypy/doc/sandbox.html ? 

I don't know about projects using PyPy's sandboxing currently.
The raw functionality is very powerful but work on deployment
and usage is due.

During the ongoing Duesseldorf sprint we discussed about a new
model to use transparent proxying techniques (http://tinyurl.com/mrq9nc )
to perform imports through a "interpreter backend" subprocess, e.g. 
CPython, Jython, IPy.  In this mode a Sandboxed PyPy could
run native applications and represent remote python objects
transparently.  As a starting point we discussed running 
QT applications from PyPy in this manner.   

I am interested to work on related topics.  In particular i plan 
to work on http://codespeak.net/execnet in the upcoming weeks in 
order to make ad-hoc configuration and deployment of Python 
interpreters a breeze (also for cross-interpreter testing).
Always interested in peers :)


More information about the Pypy-dev mailing list