[Python-Dev] Integrate BeautifulSoup into stdlib?

Tres Seaver tseaver at palladion.com
Fri Mar 13 16:01:05 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lie Ryan wrote:
> Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Moore wrote:
>>> 2009/3/13 Chris Withers <chris at simplistix.co.uk>:
>>>> If a decent package management system *was* included, this wouldn't be an
>>>> issue..
>>> Remember that a "decent package management system" needs to handle
>>> filling in all the forms and arranging approvals to get authorisation
>>> for packages when you download them.
>>>
>>> And no, I'm *not* joking. People in a locked-down corporate
>>> environment really do benefit from just having to get the OK for
>>> "Python", and then knowing that they have all they need.
>> You are plainly joking:  nothing in Python should know or care about the
>> various bureaucratic insanities in some workplaces.  Given the
>> *existing* stdlib and network connectivity, nothing any corporate
>> security blackshirt can do will prevent an even moderately-motivated
>> person from executing arbitrary code downloaded from elsewhere.  In that
>> case, what is the point in trying to help those who impose such craziness?
> 
> I (and most people, I presume) would not run arbitrary program 
> downloaded from somewhere else on a corporate server that holds many 
> important customer data even when there is no technical or even 
> bureaucratic restriction, maybe I will sneak around on a workstation but 
> definitely not on the server especially if I love my job and want to 
> keep it (I'm a student though so that applies to me in the future).

I'm not arguing that employees should violate their employers' policies:
 I'm arguing that Python itself shouldn't try to cater to such policies.
 Note that I'm not talking about running code pushed on me by malware
authors, either:  I'm talking about "ordinary" software development
activities like using a script from a cookbook, or using a well-tested
and supported library, rather than NIH.

Given that the out-of-the-box Python install already has facilities for
retrieving text over the net and executing that text, the notion of
"locking down" a machine to include only the bits installed in the stock
Python install is just "security theatre;"  such a machine shouldn't
have Python installed at all (nor a C compiler, etc.)



Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJunUx+gerLs4ltQ4RAojAAKCdoliiVDoGoKzfGXNuQUZVmoPrhgCfXeSa
pGCKI3wLt9W1A4ccnINSdLs=
=3H9u
-----END PGP SIGNATURE-----

More information about the Python-Dev mailing list