[Python-Dev] Another update for PEP 394 -- The "python" Command on Unix-Like Systems
Steve Dower
steve.dower at python.org
Tue Feb 26 17:29:18 EST 2019
On 2/26/2019 1:20 PM, Gregory P. Smith wrote:
> For an OS distro provided interpreter, being able to restrict its use to
> only OS distro provided software would be ideal (so ideal that people
> who haven't learned the hard distro maintenance lessons may hate me for it).
>
> Such a restriction could be implemented within the interpreter itself.
> For example: Say that only this set of fully qualified path whitelisted
> .py files are allowed to invoke it, with no interactive, stdin, or
> command line "-c" use allowed. I'm not aware of anyone actually having
> done that. It's hard to see how to do that in a /maintainable/ manner
> that people using many distros wouldn't just naively work around by
> adding themselves to the whitelist rather than providing their own
> interpreter for their own software stack. It feels more doable without
> workarounds for something like macOS or any other distro wholly
> controlled and maintained as a single set of software rather than a
> widely varying packages.
>
> Solving that is way outside the scope of PEP 394. Just food for thought
> that I'd like to leave as an earworm for the future for distro minded
> folks. I some people to hate this idea.
I haven't caught up on this thread yet, but this sounds a lot like the
"Restricting the entry point" section of
https://www.python.org/dev/peps/pep-0551/ (which is still a draft, so if
anyone wants to help make it more like what they want, I'm happy to have
contributors).
So I'm in favour of making this easy (since I'm already having to deal
with it being difficult ;) ), as it's extremely valuable for
security-conscious deployments as well as the distro package cases
mentioned by Gregory.
Cheers,
Steve
More information about the Python-Dev
mailing list