[Web-SIG] WSGI in standard library
Alan Kennedy
pywebsig at xhaus.com
Sun Feb 12 12:39:58 CET 2006
[Alan Kennedy]
>>Instead, I think the right approach is to continue with the existing
>>approach: put the most basic possible WSGI server in the standard
>>library, for educational purposes only, and a warning that it shouldn't
>>really be used for production purposes.
[Bill Janssen]
> I strongly disagree with this thinking. Non-production code shouldn't
> go into the stdlib; instead, Alan's proposed module should go onto
> some pedagogical website somewhere with appropriate tutorial
> documentation.
I still disagree ;-)
IMO, the primary reason for not including production servers in the
standard library is that servers need to be maintained much more
fastidiously than the standard library, and need to be released on a
timescale that is independent of python releases.
Note the security hole incovered in the standard library xml-rpc lib
last year.
PSF-2005-001 - SimpleXMLRPCServer.py allows unrestricted traversal
http://www.python.org/security/PSF-2005-001/
This particular security hole is the very reason why the Python Security
response team had to be founded, and required point-releases of the
entire python distribution to fix, i.e. python 2.3.5 and python 2.4.1
were released simply to fix this bug.
There are two primary areas of the python distro that can result in such
significant security holes.
1. Crypto libraries. Fortunately, the Timbot has been carefully watching
over us, and ensuring the excellence of the python crypto libraries (as
witnessed by the appearance of Ron Rivest on python-dev (!) last December:
http://mail.python.org/pipermail/python-dev/2005-December/058850.html
2. Internet-exposed servers. No matter how careful developers are, it is
very difficult to avoid designing security holes into such servers.
Therefore, IMHO, it is wrong to include such servers into the standard
distribution. Instead, production-ready servers should be independent of
the standard distribution, have their own development teams, have
independent release-cycles, etc, etc: think Twisted, mod_python, etc.
So, I still think that only basic servers educational/playpen servers
should go in the standard library, with an indication that the user
should pick an openly server from outside the distro if they require to
do serious server work.
Maybe if there were no "production-ready" servers in the standard
library, there would be no need for a "Python Security Response Team".
Just my €0,02.
Regards,
Alan.
More information about the Web-SIG
mailing list