[Python-Dev] rexec.py unuseable
tjreedy at udel.edu
Fri Dec 19 16:04:53 CET 2003
"Luke Kenneth Casson Leighton" <lkcl at lkcl.net>
wrote in message
news:mailman.327.1071788246.9307.python-list at python.org...
[technical proposal snipped]
I do not have the techical knowledge to evaluate
> I simply don't
> have enough knowledge of the python codebase to
do that on my own.
> [unless someone was happy to pay me for long
enough to find out,
> of course].
But I can offer these thoughts for your
* The money issue applies in one way or another to
all the developers: at the moment, I don't believe
anyone is employed specifically to develop Python
and just do that.
* The main developers are, generally, people who
find Python useful as it is. Their motivation for
student/volunteer/bootleg/when-possible work is
mostly to make it more useful for the things it
can currently do.
* Safely running untrusted and quite possibly
antagonistic code is a small part of the usage
universe. The impetus for extending current or
future Python to do this effectively will have to
come from people from whom this is important
enough to donate time, effort, expertise, and
possibly money. (Yes, you are doing some of this,
but you seem to expect someone else to pick up and
run with the ball you have tossed on the field.)
> in some ways, the longer this is left, the
harder it is going to
> be to retrospectively bolt on.
> there's an adage that says security cannot be
easily added in, it
> has to be designed in from the start.
> fortunately, i think there are a lot of smart
people about :)
Some of them have started the PyPy project to
rewrite the interpreter in Python. If successful,
this will make interpreter experimentation easier
for Python programmers. It might even become the
reference implementation for Python 3. Since this
project is (officially) just a year old (versus
about 15 years), you might be able to help design
security 'in from the start'.
Terry J. Reedy
More information about the Python-list