Private variables

Erik Max Francis max at alcyone.com
Sat Oct 19 05:16:21 CEST 2002


"Timothy J. Wood" wrote:

>    As a script writer you will be able to make scripts available for
> people to download -- but you won't be able to 'dynamically install'
> them on someone else's machine.  But the distinction is moot, really,
> since most game players will be ignorant of the security implications
> of various constructs and shouldn't be expected to do a security audit
> of some code to play a new game type.

But how would these security implications be any different from such a
user downloading and installing _any_ old software on their machine? 
Software is software, if you're downloading, installing, and running
software on your own machine you have to take some responsibility for
it.

After all, someone could (by other means) have a compromised system
where the Python interpreter has been replaced such that innocuous
scripts turn malicious.  That's hardly something you should take into
account when writing Python software, however.

>    Sure -- all the resource-based DoS problems will still exist, but
> these at least don't corrupt or expose any of the user's information.
> They can kill the application, uninstall that game type and never play
> it again.

As I said, if you're looking for some minimal protection, see the rexec
module.  I suspect you're chasing a ghost, though.

-- 
 Erik Max Francis / max at alcyone.com / http://www.alcyone.com/max/
 __ San Jose, CA, USA / 37 20 N 121 53 W / &tSftDotIotE
/  \ Sit loosely in the saddle of life.
\__/ Robert Louis Stevenson
    Alcyone Systems / http://www.alcyone.com/
 Alcyone Systems, San Jose, California.



More information about the Python-list mailing list