[Python-Dev] Python security team
victor.stinner at haypocalc.com
Sat Sep 27 17:54:28 CEST 2008
I would like to know if a Python security team does exist. I sent an email
about an imageop issue, and I didn't get any answer. Later I learned that a
security ticket was created, I don't have access to it.
First, I would like to access to these informations. Not only this issue, but
all security related issues. I have some knowledges about security and I can
help to resolve issues and/or estimate the criticity of an issue.
Second, I would like to help to fix all Python security issues. It looks like
Python community isn't very reactive (proactive?) about security. Eg. a DoS
was reported in smtpd server (integrated to Python)... 15 months ago. A patch
is available but it's not applied in Python trunk.
Third, I'm also looking for a document explaining "how Python is secure" (!).
If an user can run arbitrary Python code, we know that it can do anything
(read/remove any file, create/kill any process, read/write anywhere in
memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also
working on sandboxing using two interpreters: one has high priviledge and
execute instructions from the second interpreter (after checking the
permissions and arguments). So is there somewhere a document to explain to
current status of Python security?
Victor Stinner aka haypo
More information about the Python-Dev