[Python-Dev] Path object design
glyph at divmod.com
glyph at divmod.com
Wed Nov 1 09:36:11 CET 2006
On 03:14 am, sluggoster at gmail.com wrote:
>One thing is sure -- we urgently need something better than os.path.
>It functions well but it makes hard-to-read and unpythonic code.
I'm not so sure. The need is not any more "urgent" today than it was 5 years ago, when os.path was equally "unpythonic" and unreadable. The problem is real but there is absolutely no reason to hurry to a premature solution.
I've already recommended Twisted's twisted.python.filepath module as a possible basis for the implementation of this feature. I'm sorry I don't have the time to pursue that. I'm also sad that nobody else seems to have noticed. Twisted's implemenation has an advantage that it doesn't seem that these new proposals do, an advantage I would really like to see in whatever gets seriously considered for adoption:
*It is already used in a large body of real, working code, and therefore its limitations are known.*
If I'm wrong about this, and I can't claim to really know about the relative levels of usage of all of these various projects when they're not mentioned, please cite actual experiences using them vs. using os.path.
Proposals for extending the language are contentious and it is very difficult to do experimentation with non-trivial projects because nobody wants to do that and then end up with a bunch of code written in a language that is no longer supported when the experiment fails. I understand, therefore, that language-change proposals are therefore going to be very contentious no matter what.
However, there is no reason that library changes need to follow this same path. It is perfectly feasible to write a library, develop some substantial applications with it, tweak it based on that experience, and *THEN* propose it for inclusion in the standard library. Users of the library can happily continue using the library, whether it is accepted or not, and users of the language and standard library get a new feature for free. For example, I plan to continue using FilePath regardless of the outcome of this discussion, although perhaps some conversion methods or adapters will be in order if a new path object makes it into the standard library.
I specifically say "library" and not "recipie". This is not a useful exercise if every user of the library has a subtly incompatible and manually tweaked version for their particular application.
Path representation is a bike shed. Nobody would have proposed writing an entirely new embedded database engine for Python: python 2.5 simply included SQLite because its utility was already proven.
I also believe it is important to get this issue right. It might be a bike shed, but it's a *very important* bike shed. Google for "web server url filesystem path vulnerability" and you'll see what I mean. Getting it wrong (or passing strings around everywhere) means potential security gotchas lurking around every corner. Even Twisted, with no C code at all, got its only known arbitrary-code-execution vulnerability from a path manipulation bug. That was even after we'd switched to an OO path-manipulation layer specifically to avoid bugs like this!
I am not addressing this message to the py3k list because its general message of extreme conservatism on new features is more applicable to python-dev. However, py3k designers might also take note: if py3k is going to do something in this area and drop support for the "legacy" os.path, it would be good to choose something that is known to work and have few gotchas, rather than just choosing the devil we don't know over the devil we do. The weaknesses of os.path are at least well-understood.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20061101/38391818/attachment.htm
More information about the Python-Dev
mailing list