How much is set in stone?

Sat Nov 10 12:50:17 EST 2001

Paul Rubin:
>Comparing Python with Perl, generally I find Python better designed
>but its implementation more likely to take short cuts.

I've reported several core dump bugs in Perl over time.  The most
recent was a couple months back.  I've used Python a lot more than
Perl, and I work out of CVS, so it's hard to compare the two,
but I feel that they are comparable in implementation solidity.
Yes, I've reported Python core dumps as well.

I find it impressive you can compare implementation details.  When
I've found problems or had questions with Perl's C implementation,
I haven't been able to figure out heads nor tails of the code.  In
Python, I've never had that problem except once where there was
a 'tstate' bug related to how threads are done.

> The security
>issue with pickle.loads that we spent a long time discussing is
>something I think the perl developers would not have tolerated.

I thought most of those pickle bugs have been addressed.  I know
I sent in fixes for a couple of them.  As I recall, it wasn't
tolerated, but no one wanted to go fix.

As for security, I'm astonished that Perl passes NUL containing
strings to system calls, which opens up a Perl script to all sorts
of subtle attacks.  Perhaps the most famous is
  http://www.mail-archive.com/modperl@apache.org/msg00396.html

Python raises an exception in this case.  There are other concerns
I have, but the point is I don't see Perl being the best example
with which to compare.

>There's all kinds of other missing functionality in the runtime system
>as well, that doesn't result directly in unrobust programs, but does
>make it more difficult to write robustly.  A lot of this ng is about
>the resulting issues.

As I said, I've done Perl coding before, as well as Tcl, C++, and
others.  I've also hung around those newsgroups.  I don't see
specifically unusual here indicative of a lack of robustness.  It
may be because I read c.l.perl from the 4.0.38 -> 5.2 days (so
you could say it wasn't as robust then) or c.l.tcl in the 7.x days.
Wow! Google says my first post to c.l.py was in Sept. 1995 -- but
I was mostly a lurker back then.

Could you remind me what sorts of functionality you consider to
be missing?  Are you talking about things like taintedness and
sandboxing?  (In which case language like C++ also fit under the
category of "more difficult to write robustly", with which I'll
agree.)  I've written a whole lot of Python code and I can't
think of anything in the run-time which needed to be improved to
increase robustness.

There have been improvements in the language which have improved
expressibility and maintainability, but I believe that to be a
different though related issue.

                    Andrew
                    dalke at dalkescientific.com