[Python-Dev] Python and Security (original) (raw)

Ka-Ping Yee ping@lfw.org
Sun, 20 Jan 2002 16:23:15 -0600 (CST)

"M.-A. Lemburg" wrote:

... Note that Python hasn't really had a need for Perl's "taint" because of this. I wouldn't want to see that change in any way.

On Thu, 17 Jan 2002, Paul Prescod wrote:

I am certainly not a Perl programmer but Python is also attackable through the sorts of holes that "taint" is intended to avoid.

Paul is right on the money. Tainting is a completely separate issue.

That said, however, i wonder why security rarely comes up as an issue for Python. Is it because nobody expects security properties from the language? Does anyone know how much the restricted execution feature gets used? Is there anyone here that would use a tainting feature if it existed?

It would be interesting to explore the possibilities for safe distributed programming in Python. Restricted execution mode and the ability to hook import seem like a pretty strong starting point, and given a suitable cryptographic comm library, it might be feasible to get from there to capability-style distributed programming.

IMHO, simplicity and readability are extremely important for a secure programming language, so that gives Python a great head start.

(By the way, i'm planning to be at Python 10, and hope to see many of you there. As i'm looking for ways to keep costs down, would anyone be interested in splitting the cost of a hotel room in exchange for a roommate with a strange hairstyle? I'll be there Feb 4 to 7, three nights.)

-- ?!ng