[pypy-dev] --sandbox woes. H ow do I install modules?

Armin Rigo arigo at tunes.org
Sat Jun 14 18:26:30 CEST 2014


Hi John,

On 11 June 2014 23:27, Barry, John <john.barry at pervasive-health.com> wrote:
> I'm attempting to create a sandbox, load it up with our requirements via
> pip, and start figuring out how to execute this from our codebase.
>
> It all falls down every single time when I attempt to install distribute.py,
> because import time fails within the sandbox.

That's expected: I would not expect pip to work *at all* in a
sandboxed PyPy.  Now more precisely, the "time" module should be
present in a reduced format, containing only three functions; you seem
to say that it is completely absent, which I find strange but
certainly not impossible as we don't test the sandbox regularly.

But speaking more generally, most standard built-in modules are absent
(or very reduced, like "time") for now.  The idea is that you run
small snippets of code provided by some untrusted user, doing some
computation in Python.  Ideally you don't need a lot of performance,
so you can leave out the JIT, whose presence could in theory introduce
additional security bugs.

Now if someone really needs to run a large
program with many dependencies, then he needs to invest some more
serious amount of time into pypy's sandbox, and finish it at least
until all modules that he really needs are supported.  This shouldn't
be too hard -- and, more importantly, it should be easy to make it
work *in a secure way* -- but it is time-consuming.  We haven't found
anyone interested in doing this so far.


A bientôt,

Armin.


More information about the pypy-dev mailing list