[Web-SIG] Python hosting (was Re: [Distutils] "setup.py needs to go away" (was [PEP 376] - Open questions on python-dev))

Graham Dumpleton graham.dumpleton at gmail.com
Sat Jul 11 13:21:21 CEST 2009


2009/7/11 Jim Fulton <jim at zope.com>:
>
> On Jul 11, 2009, at 5:58 AM, David Lyon wrote:
>
>> On Fri, 10 Jul 2009 10:02:39 -0400, Jim Fulton <jim at zope.com> wrote:
>>>
>>> I was really just pointing out that there isn't
>>> anything special about web developers.  Really the need relates to
>>> application development.  That is, web application developer's needs
>>> aren't really different from other application developers' needs.
>>
>> Just for my own education..
>>
>> Why is there so many problems with python hosting? What I mean
>> is that any linux host that can run python should be able to
>> do web hosting easily. Say like run zope/plone.
>>
>> Is this due to difficulties in getting packages onto a web host?
>>
>> What could be done in an ideal world to make it a snap to
>> run zope on my cheapy linux web hosting service (that already
>> has python)?
>
> The primary problem is that most web applications require long-running
> processes and low-cost hosting providers don't let you run your own
> long-running processes.  My impression is that not many low-cost providers
> support mod_python or that perhaps perhaps it's not easy to integrate with
> mod_python in those environments.  I personally haven't tried to run Zope on
> low-cost hosting providers.

A web hosting company is not going to use mod_python for implementing
Python hosting in a shared environment where only one Apache instance
is used. This is because it is even more insecure than PHP when using
mod_php.

In both cases all users code runs as the Apache user. Although for
each, each uses code files may be owner by that user and not writable
to the Apache user, it will be readable so for a start, any sensitive
information of other uses could be read. For PHP the in process code
is thrown away at the end of each request, but for mod_python it isn't
and is instead retained in memory. Thus, because all user code
persistents in memory of same process, technically you could write a C
extension plugin that peeks into another users sub interpreter and
modifies resident code or again looks at data.

Embedding with Python in Apache processes is just terribly insecure
and if a web hosting company offers mod_python as a service on a
single Apache instance with other users, they have no clue about what
they are doing. As such, you should run a long way away.

The only way that mod_python works in shared web hosting is where each
user is given their own Apache instance, such as is done by
WebFaction.

Graham

> Lots of people are gravitating to Google App Engine, including Zope
> developers.  Zope itself is a bit too heavy for GAE, but lots of Zope
> developers are building lighter applications using Zope (and non-Zope)
> components. Lots of other frameworks work with GAE.
>
> Of course, there are lots of relatively low cost (~$20/mo) co-lo providers
> that give you a VM you can run anything on. I don't think there're any
> problems running Zope in those environments.
>
> Maybe others here can add more.
>
> Jim
>
> --
> Jim Fulton
> Zope Corporation
>
>
> _______________________________________________
> Web-SIG mailing list
> Web-SIG at python.org
> Web SIG: http://www.python.org/sigs/web-sig
> Unsubscribe:
> http://mail.python.org/mailman/options/web-sig/graham.dumpleton%40gmail.com
>


More information about the Web-SIG mailing list