[Python-Dev] new security doc using object-capabilities
Phillip J. Eby
pje at telecommunity.com
Tue Jul 25 03:19:33 CEST 2006
At 12:04 PM 7/25/2006 +1200, Greg Ewing wrote:
>Phillip J. Eby wrote:
>
> > When I say "name checker" I mean the Zope type that allows you to
> specify a
> > list of names that are allowed for a given object. This allowing is not
> > based on identity or code signing or anything like that. It's just a list
> > of attribute names: i.e. a capability mask over an existing object.
>
>But this is backwards from what a true object-capability
>system should be like if it's properly designed. Instead
>of starting with too-powerful objects and trying to
>hide some of their powers, the different powers should
>be separated into different objects in the first place.
And what about code that needs to pass on a subset of a capability? You
need the ability to create such capability-restricted subsets anyway, no
matter how "pure" a system you start with.
And being able to create capability masks for existing objects means you
don't have to redesign every piece of code ever written for Python to make
it secure.
>It sounds to me like Zope is using the approach it's
>using because it's having to work with Python as it
>currently is, not because its approach is the best one.
Well, that depends a lot on how you define "best". Practicality beats
purity, doesn't it? ;)
More information about the Python-Dev
mailing list