[Python-Dev] Python security team

Victor Stinner victor.stinner at haypocalc.com
Sat Sep 27 17:54:28 CEST 2008


I would like to know if a Python security team does exist. I sent an email 
about an imageop issue, and I didn't get any answer. Later I learned that a 
security ticket was created, I don't have access to it.

First, I would like to access to these informations. Not only this issue, but 
all security related issues. I have some knowledges about security and I can 
help to resolve issues and/or estimate the criticity of an issue.

Second, I would like to help to fix all Python security issues. It looks like 
Python community isn't very reactive (proactive?) about security. Eg. a DoS 
was reported in smtpd server (integrated to Python)... 15 months ago. A patch 
is available but it's not applied in Python trunk.

Third, I'm also looking for a document explaining "how Python is secure" (!). 
If an user can run arbitrary Python code, we know that it can do anything 
(read/remove any file, create/kill any process, read/write anywhere in 
memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also 
working on sandboxing using two interpreters: one has high priviledge and 
execute instructions from the second interpreter (after checking the 
permissions and arguments). So is there somewhere a document to explain to 
current status of Python security?

Victor Stinner aka haypo

More information about the Python-Dev mailing list