[Python-Dev] PEP 215 redux: toward a simplified consensus?

[Paul Prescod]

"Fred L. Drake, Jr." wrote:
> 
>...
> 
> Yes, but I'm not convinced this has any more security implications
> implications than using a library function to perform the
> transformation.

The point is that the simplest mechanism, that we teach to newbies, has
security non-obvious "concerns". If we have literal interpolation, then
a library function would be used by people who WANT to do it at runtime
because they have a REASON for doing it at runtime and thus have a
pretty clear concept of the distinction between runtime and compile
time.

But as I've said, the major reason for this is not security. I don't
know that a Python program has been hacked through "%" so it doesn't
make sense to lose sleep over it. The major reason for doing it at
compile time (for me) is that you can have a nice syntax that doesn't
evolve modulus-ing (or dividing) an otherwise useless vars() or locals()
dictionary.

 Paul Prescod