[Python-Dev] Re: Capabilities

[Jim Fulton]

Jeremy Hylton wrote:

...

> I think both techniques achieve the same end, but with different
> limitations.  I prefer the proxy approach because it is more self
> contained.  The rexec approach requires that all developers working in
> the core on introspection features be aware of security issues.  The
> security kernel ends up being most of the core interpreter -- anything
> that can introspection on objects.

I think that there is an important corrolary. Changes to the security
policy are very hard to make.  For example, if we change our mind about
what should be safe or not: we have many places to make the change, we
have lot's of tests to redo. people have to reinstall or rebuild Python
to get the change. With proxies, the update is provides as fairly small
and self-contained library update.

Jim

-- 
Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (888) 344-4332            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org