[Python-Dev] Python possible vulnerabilities in concurrency (original) (raw)
Steve Dower steve.dower at python.org
Fri Nov 17 14:11:16 EST 2017
- Previous message (by thread): [Python-Dev] Python possible vulnerabilities in concurrency
- Next message (by thread): [Python-Dev] PEP 549 vs. PEP 562
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 15Nov2017 2053, Guido van Rossum wrote:
On Wed, Nov 15, 2017 at 6:50 PM, Guido van Rossum <guido at python.org_ _<mailto:guido at python.org>> wrote:
So far I learned one thing from the report. They use the term "vulnerabilities" liberally, defining it essentially as "bug": All programming languages contain constructs that are incompletely specified, exhibit undefined behaviour, are implementation-dependent, or are difficult to use correctly. The use of those constructs may therefore give rise to /vulnerabilities/, as a result of which, software programs can execute differently than intended by the writer.
They then go on to explain that sometimes vulnerabilities can be exploited, but I object to calling all bugs vulnerabilities -- that's just using a scary word to get attention for a sleep-inducing document containing such gems as "Use floating-point arithmetic only when absolutely needed" (page 230).
I looked at this report the first time it was posted and came to the same conclusion.
It's only valuable in the sense that it makes clear just how perfect your code has to be to avoid being vulnerable, and since that level of perfection can never be achieved, the takeaway is that you can't achieve security solely within the application/framework/runtime. It is convenient to have formally researched and collated it, so the rest of us can just write blog posts/PEPs stating it as fact, but I think most people will intuitively get the main point without referring to the report.
(Yes, I'm still interested in pushing PEP 551 forward :) I've been trying to get some actual companies other than Microsoft using it for the real-world experience, and I have a couple of conference talks coming up about it. There are implementations against v3.7.0a2 is at https://github.com/zooba/cpython/tree/pep551 and against v3.6.3 at https://github.com/zooba/cpython/tree/pep551_36 )
Cheers, Steve
- Previous message (by thread): [Python-Dev] Python possible vulnerabilities in concurrency
- Next message (by thread): [Python-Dev] PEP 549 vs. PEP 562
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]