[Python-Dev] Capabilities in Python

Guido van Rossum guido@python.org
Mon, 10 Mar 2003 11:12:37 -0500

> > >You don't need restricted execution to make proxies work.

> > Um, I think that's a dangerous mistake, or a confusion in terminology.

> All I'm saying is that the proxy mechanism itself doesn't rely on
> restricted execution.
> > Without restricted execution, untrusted code would have access to
> > sys.modules, and from there it would be able to access
> > removeAllProxies.
> All we need to be able to do is control imports.  It turns out that
> to prevent access to sys.modules, we have to replace __builtins__,
> which has the side-effect of enabling restricted execution. You
> don't need anything but the ability to restrict imports and other
> unproxied access to sys.modules to use proxies.

Turns out this was another terminology misunderstanding.  I think of
the ability to overload __import__ and set __builtins__ as part of the
restricted execution implementation, because that's why they were
implemented.  Jim thought that these were separate features, and that
restricted execution in the interpreter only referred to the closing
off of some introspection attributes (e.g. im_self, __dict__ and

--Guido van Rossum (home page: http://www.python.org/~guido/)