[Web-SIG] WSGI in standard library

Alan Kennedy pywebsig at xhaus.com
Sun Feb 12 12:39:58 CET 2006

[Alan Kennedy]
>>Instead, I think the right approach is to continue with the existing 
>>approach: put the most basic possible WSGI server in the standard 
>>library, for educational purposes only, and a warning that it shouldn't 
>>really be used for production purposes.

[Bill Janssen]
> I strongly disagree with this thinking.  Non-production code shouldn't
> go into the stdlib; instead, Alan's proposed module should go onto
> some pedagogical website somewhere with appropriate tutorial
> documentation.

I still disagree ;-)

IMO, the primary reason for not including production servers in the 
standard library is that servers need to be maintained much more 
fastidiously than the standard library, and need to be released on a 
timescale that is independent of python releases.

Note the security hole incovered in the standard library xml-rpc lib 
last year.

PSF-2005-001 - SimpleXMLRPCServer.py allows unrestricted traversal

This particular security hole is the very reason why the Python Security 
response team had to be founded, and required point-releases of the 
entire python distribution to fix, i.e. python 2.3.5 and python 2.4.1 
were released simply to fix this bug.

There are two primary areas of the python distro that can result in such 
significant security holes.

1. Crypto libraries. Fortunately, the Timbot has been carefully watching 
over us, and ensuring the excellence of the python crypto libraries (as 
witnessed by the appearance of Ron Rivest on python-dev (!) last December:


2. Internet-exposed servers. No matter how careful developers are, it is 
very difficult to avoid designing security holes into such servers. 
Therefore, IMHO, it is wrong to include such servers into the standard 
distribution. Instead, production-ready servers should be independent of 
the standard distribution, have their own development teams, have 
independent release-cycles, etc, etc: think Twisted, mod_python, etc.

So, I still think that only basic servers educational/playpen servers 
should go in the standard library, with an indication that the user 
should pick an openly server from outside the distro if they require to 
do serious server work.

Maybe if there were no "production-ready" servers in the standard 
library, there would be no need for a "Python Security Response Team".

Just my €0,02.



More information about the Web-SIG mailing list