[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python] (original) (raw)
Brett Cannon brett at python.org
Sun Jul 9 04:48:38 CEST 2006
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 7/7/06, Guido van Rossum <guido at python.org> wrote:
On 7/8/06, Ka-Ping Yee <python-dev at zesty.ca> wrote: > The situation you're describing here is a classic case of one > component keeping a closely held authority while using it to > provide some limited capability to some other component. This > comes up quite often when you're trying to write secure code. > > If you want to be able to write that subsystem in Python, then > we will need a way to create airtight Python objects (i.e. objects > that only leak what they explicitly choose to leak). > > So this goes back to the big question of goals: > > Do we want to be able to protect one piece of Python code > from another piece of Python code? > > I'd like the answer to be yes. It sounded for a while like this > was not part of Brett's plan, though. Now i'm not so sure. It > sounds like you're also interested in having the answer be yes? > > Let's keep talking about and playing with more examples -- i think > they'll help us understand what goals we should aim for and what > pitfalls to anticipate before we nail down too many details. I'd like the answer to be no, because I don't believe that we can trust the VM to provide sufficient barriers. The old pre-2.2 restricted execution mode tried to do this but 2.2 punched a million holes in it. Python isn't designed for this (it doesn't even enforce private attributes). I guess this is also the main reason I'm skeptical about capabilities for Python.
My plan is no. As Guido said, getting this right is feasibly questionable. I do not plan on trying to have security proxies or such implemented in Python code; it will need to be in C. If someone comes along and manages to find a way to make Python work without significantly changing the languages, great, and we can toss out my security implementation for that.
But as of right now, I am not planning on making Python code safe to run in Python code.
-Brett
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/brett%40python.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.python.org/pipermail/python-dev/attachments/20060708/1edabd3c/attachment.html
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]