[Python-Dev] Integrate BeautifulSoup into stdlib?

Fri Mar 13 16:28:50 CET 2009

Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Lie Ryan wrote:
>> Tres Seaver wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Paul Moore wrote:
>>>> 2009/3/13 Chris Withers <chris at simplistix.co.uk>:
>>>>> If a decent package management system *was* included, this wouldn't be an
>>>>> issue..
>>>> Remember that a "decent package management system" needs to handle
>>>> filling in all the forms and arranging approvals to get authorisation
>>>> for packages when you download them.
>>>>
>>>> And no, I'm *not* joking. People in a locked-down corporate
>>>> environment really do benefit from just having to get the OK for
>>>> "Python", and then knowing that they have all they need.
>>> You are plainly joking:  nothing in Python should know or care about the
>>> various bureaucratic insanities in some workplaces.  Given the
>>> *existing* stdlib and network connectivity, nothing any corporate
>>> security blackshirt can do will prevent an even moderately-motivated
>>> person from executing arbitrary code downloaded from elsewhere.  In that
>>> case, what is the point in trying to help those who impose such craziness?
>> I (and most people, I presume) would not run arbitrary program 
>> downloaded from somewhere else on a corporate server that holds many 
>> important customer data even when there is no technical or even 
>> bureaucratic restriction, maybe I will sneak around on a workstation but 
>> definitely not on the server especially if I love my job and want to 
>> keep it (I'm a student though so that applies to me in the future).
> 
> I'm not arguing that employees should violate their employers' policies:
>  I'm arguing that Python itself shouldn't try to cater to such policies.

Basically you're saying: Python is designed not to work on such environment.

>  Note that I'm not talking about running code pushed on me by malware
> authors, either:  I'm talking about "ordinary" software development
> activities like using a script from a cookbook, or using a well-tested
> and supported library, rather than NIH.

Some companies have /very/ strict policies on running anything on live 
server, including scripts you write yourself. The problem is if the 
script goes awry, it might disturb the stability or even security of the 
server.

> Given that the out-of-the-box Python install already has facilities for
> retrieving text over the net and executing that text, the notion of
> "locking down" a machine to include only the bits installed in the stock
> Python install is just "security theatre;"  such a machine shouldn't
> have Python installed at all (nor a C compiler, etc.)

When the server administrator is already freaked out about adding an 
script developed by in-house employee, what about adding an external module?

Of course all of this does not (usually) apply to regular workstation. A 
messed up workstation only means a reinstall, a messed up server may 
mean company reputation.