[Python-Dev] doc for new restricted execution design for Python

[Brett Cannon]

On 7/5/06, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
>
> Brett Cannon wrote:
>
> > Armin in an email said that he thought it was
> > a losing battle to try to hide 'file' from an interpreter.
>
> And I would change file() so that it didn't open
> files. Then it would be harmless for code to have
> access to the file class.



Right, that is essentially what I proposed initially with the whole
crippling idea.

What the capabilities supporters are saying is that if we go that route we
will be constantly finding objects that require similar crippling.  It will
degenerate into this constant chasing of our tail to plug security holes
where an object that we did not account for leaked out and wreaked havoc.
What they are saying is that if we harden Python so that references don't
get out without us knowing about it we won't have this run-around.

But then my question has been what makes us trying to cripple objects any
less of a run-around then finding new ways to get at references of 'file' or
any other object?  I have been suggesting the former requires less running
around than the latter.  That is why I have asked that people see how many
ways they can come up with to get to 'file' from a standard interpreter
prompt so we can gauge how bad hiding references might be.

-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20060706/9a96853e/attachment.htm