[Python-Dev] Reviving restricted mode?

[Isaac Morland]

On Thu, 14 Aug 2014, Steven D'Aprano wrote:

> On Thu, Aug 14, 2014 at 02:26:29AM +1000, Chris Angelico wrote:
>> On Wed, Aug 13, 2014 at 11:11 PM, Isaac Morland <ijmorlan at uwaterloo.ca> wrote:
>>> While I would not claim a Python sandbox is utterly impossible, I'm
>>> suspicious that the whole "consenting adults" approach in Python is
>>> incompatible with a sandbox.  The whole idea of a sandbox is to absolutely
>>> prevent people from doing things even if they really want to and know what
>>> they are doing.
>
> The point of a sandbox is that I, the consenting adult writing the
> application in the first place, may want to allow *untrusted others* to
> call Python code without giving them control of the entire application.
> The consenting adults rule applies to me, the application writer, not
> them, the end-users, even if they happen to be writing Python code. If
> they want unrestricted access to the Python interpreter, they can run
> their code on their own machine, not mine.

Yes, absolutely, and I didn't mean to contradict what you are saying. 
What I am suggesting is that the basic design of Python isn't a good 
starting point for imposing mandatory restrictions on what code can do. 
By contrast, take something like Safe Haskell.  I'm not absolutely certain 
that it really is safe as promised, but it's starting from a very 
different language in which the compiler performs extremely sophisticated 
type checking and simply won't compile programs that don't work within the 
type system.

This isn't a knock on Python (which I love using, by the way), just being 
realistic about what the existing language is likely to be able to 
support.  Having said that, I'll be very interested if somebody does come 
up with a restricted mode Python that is widely accepted as being secure - 
that would be a real achievement.

Isaac Morland			CSCF Web Guru
DC 2554C, x36650		WWW Software Specialist