Try Python!

Terry Reedy tjreedy at udel.edu
Thu Mar 30 04:51:07 CEST 2006


"Michael Tobis" <mtobis at gmail.com> wrote in message 
news:1143675907.958211.253820 at j33g2000cwa.googlegroups.com...
...
> I refer you in particular to these messages from BDFL:
>
> http://mail.python.org/pipermail/python-dev/2002-December/031246.html

This one says that new style classes in 2.2 opened a new, sizable, security 
hole.  One can avoid this by running 2.1.

> http://mail.python.org/pipermail/python-dev/2002-December/031251.html

This one says that he doubts that Python will ever reach a level of no 
security flaws.  And that he does not want to spend his life just getting 
close.
>
> So what is the scoop? Why does Guido say there is no such thing as a
> secure Python, and (as is generally reasonable) presuming he is correct
> on the matter, how can these sites work safely?

There are, of course, degrees of security.  Any site can choose to operate 
with a lesser degree than Guido would accept for a 'secure Python' release.

If I were running a publicly available site, I would run Python under *nix 
with someone with some security admin experience.  I would use a dedicated 
machine from a few years ago not needed for anything else.  I would have 
the full installation backed up on a bootable CD or DVD.  I would expect 
most visitors to not pee in the fountain.  And I would expect to have to 
reinstall occasionally  when someone did.

And I would at least remove all the net access and protocol modules and 
worry about making sure that the interpreter had no access to the system 
net resources so as to not be a vehicle for damaging other machines.

Terry Jan Reedy






More information about the Python-list mailing list