[Python-Dev] Re: Capabilities - published interfaces

Mon Dec 29 09:56:06 EST 2003

On Mon, Dec 29, 2003, Ka-Ping Yee wrote:
> On Sat, 20 Dec 2003, Aahz wrote:
>>
>> Exactly.  From my observations of these discussions, there are
>> essentially only two reasons for restricted execution:
>>
>> * To simplify things by reducing the potential solution space
>>
>> * To protect a system against a hostile attacker
> 
> There is a huge blind spot in your claim.  You forgot:
> 
>   * To limit the damage caused by a bug in your program
> 
>   * To make your programs have more predictable behaviour
> 
> Capabilities are about making clear what parts of your program
> can and can't do.

My understanding is that capabilities are not the same thing as
restricted execution; it's certainly the case that we could provide some
kind of capability model that doesn't meet the demands of restricted
execution.

While your points are valid, they are not points that I've seen brought
up before in the context of restricted execution.  There are many other
programming models that address those issues; why do you think that
restricted execution makes a particularly good choice?  (Say, as compared
to design-by-contract.)

>> Supposedly there's a middle ground of untrusted but non-hostile code,
>> but what's the point of providing support for that?
> 
> Have you ever used a library written by someone else?  Have you ever
> found a bug in something you wrote yourself?
> 
> "Untrusted but non-hostile code" is what all of us write every day.

Well, sure, but if that's the only issue in play, I don't think that the
stringent demands of restricted execution are needed.  The question is
whether the benefits of restricted execution are worth the effort
required (and possibly the performance penalty).

Not-quite tangent:

I was talking to someone a few days ago, an experienced programmer who
hasn't yet tried Python (and who I'm trying to persuade -- but he's an
old Lisp and Smalltalk hacker who hates B&D syntax).  He's also running
a web server at home; I commented that if I did that, I'd use a server
written in Python because it's more secure.  He said that he'd seen more
security alerts for Zope than for Apache, which forced me to explain
that Zope isn't a web server, it's an application framework that allows
people to run arbitrary Python code.

>From my POV, that's the context in which we either need to provide truly
robust restricted execution or just decide that we can't do it.  And as
I've pointed out before, restricted execution in the context of something
like a web server is almost certainly going to require something external
to Python in order to prevent excessive CPU and memory usage -- which is
an issue that has grown in difficulty given the new prevalence of
event-driven programming (instead of forking and threading).
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.