[Python-Dev] Python possible vulnerabilities in concurrency

Steve Dower steve.dower at python.org
Fri Nov 17 14:11:16 EST 2017

On 15Nov2017 2053, Guido van Rossum wrote:
> On Wed, Nov 15, 2017 at 6:50 PM, Guido van Rossum <guido at python.org 
> <mailto:guido at python.org>> wrote:
> So far I learned one thing from the report. They use the term 
> "vulnerabilities" liberally, defining it essentially as "bug":
>     All programming languages contain constructs that are incompletely
>     specified, exhibit undefined behaviour, are
>     implementation-dependent, or are difficult to use correctly. The use
>     of those constructs may therefore give rise to /vulnerabilities/, as
>     a result of which, software programs can execute differently than
>     intended by the writer.
> They then go on to explain that sometimes vulnerabilities can be 
> exploited, but I object to calling all bugs vulnerabilities -- that's 
> just using a scary word to get attention for a sleep-inducing document 
> containing such gems as "Use floating-point arithmetic only when 
> absolutely needed" (page 230).

I looked at this report the first time it was posted and came to the 
same conclusion.

It's only valuable in the sense that it makes clear just how perfect 
your code has to be to avoid being vulnerable, and since that level of 
perfection can never be achieved, the takeaway is that you can't achieve 
security solely within the application/framework/runtime. It is 
convenient to have formally researched and collated it, so the rest of 
us can just write blog posts/PEPs stating it as fact, but I think most 
people will intuitively get the main point without referring to the report.

(Yes, I'm still interested in pushing PEP 551 forward :) I've been 
trying to get some actual companies other than Microsoft using it for 
the real-world experience, and I have a couple of conference talks 
coming up about it. There are implementations against v3.7.0a2 is at 
https://github.com/zooba/cpython/tree/pep551 and against v3.6.3 at 
https://github.com/zooba/cpython/tree/pep551_36 )


More information about the Python-Dev mailing list