privacy in Python

Alex Martelli aleax at
Wed Aug 29 17:57:42 CEST 2001

"Ens" <ens_z at> wrote in message
news:39ce62b8.0108290610.42e6a3b0 at
> class cls:
> def f(self, a, b):
> print a+b
> __p=12
> obj=cls()
> fun=obj.f
> print fun.im_self._cls__p
> 12
> I need that '__p' exactly be private.

Private against what threats, what adversaries?  Python
can help you if the enemies are limited to supplying you
Python sources and bytecodes to be run -- see the rexec
module: you run the adversaries' sources and bytecodes
in a restricted-execution sandbox where they can be
constrained against damaging you -- in particular, the
Bastion module makes it a snap to selectively expose
attributes from any object you have to supply to the
adversaries (and restricted-execution cuts their ability
to introspect and worm-around your sandbox-restrictions,
*as long as* all your adversaries can do is give you
Python code to run).

But in many threat-scenarios, there is no reason to
expect the adversaries to be so limited -- if they can
intrude *machine-code* running with system-level
privileges on your machine (e.g., you're running
Win/2000 and IIS, and they exploit Code Red), then
there's nothing Python can do to protect you against
such a threat -- among all other horrible wastage the
adversaries can do to your whole network, they *WILL*
be able to get at __p (if they know it's there, and
how to reach for it).

Strong encryption may help *TO A POINT*, but you still
need some hypotheses about limits to the threat's
abilities to intrude.  If they get at your private
keys, with which you've encrypted everything, you're
toast again.

So, unless you can define some limits to the abilities
of your adversaries, neither Python nor any other
programming language can help you achieve your stated
objective of keeping __p invisible to enemies at all cost.


More information about the Python-list mailing list