Python secure?

Reid Nichol rnichol_rrc at yahoo.com
Tue Aug 17 00:41:35 EDT 2004 

Peter Hansen wrote:
> You haven't really been programming for very long, I think.
In fact I've been programming for years formally trained.


> Your argument (and I don't intend to start a flame war about another
> religious area) is tantamount to saying that the only failing of
> guns is that people use them to kill other people...  (That argument
> has merit, of course, but it sort of misses the whole point.)
Only if people use them improperly, which is my point, which you seem to 
have missed.  Guns are good at killing something to eat.  C, if you know 
what you are doing, can create secure code and you don't have to be perfect.


>> If people wouldn't rush, if they took there time to learn what's 
>> actually going on, they wouldn't make those mistakes.
> 
> 
> Okay, fair enough... though still arguable.  But let's look at
> reality: people do rush.  People don't take the time to learn
> what's actually going on.  And even when they do, they are
> only human, so sometimes they forget, or get confused, or just
> get in a hurry, or in spite of all their best efforts they
> still manage not to do it right.  Expecting programmers to
> be perfect is unreasonable, and to achieve very secure code in
> C one must expect to have perfect programmers.
> 
>> One cannot judge a language by it's ability to allow sloppyness.  
> 
> 
> Whyever not?  There's no inherent reason why one shouldn't do
> exactly that.


> Assembly, for example, is a terrible language...
We aren't talking about assembly, we are talking about C, which is 
readable if the programmer takes the time to code and document properly. 
  Any language will suffer if a poor programmer is at the helm.  And if 
there is a program that needs writing (securely) and someone is charged 
with that duty that has no business doing so, they'll get what they 
deserve regardless of which language is used.


>  > Quite frankly, I've seen some crap
> 
>> Python code.  It's the programmer NOT the language.
> 
> 
> Not quite: it's the programmer *and* the language.  But for
> a given programmer, there are clear differences between two
> languages in terms of how readable the resulting code will be,
> not to mention how secure.
If a programmer writes well structured code then (s)he will write well 
structured code to the limitation of that language.  All languages that 
I have seen allow proper indentation, etc.  If the programmer doesn't do 
this then (s)he'll find a way to mess up readality, etc somehow.


>> Remember, there is no one language that everything is good for.  
>> Python, C, C++, Lisp, etc all have things that it is best to program 
>> in them.  It all depends on the projects requirements.
> 
> 
> All true...  but we _were_ talking about requirements involving
> security and, for that, C is not as good as Python.  I think
> your final statement is pretty close to agreeing with that,
> unless you really want to go back now and argue against yourself,
> that C is just as good as Python in that area, or perhaps even
> better...  (in which case I'm quite curious what areas you
> think Python, C++, and Lisp excel in compared to C.)
> 
> -Peter

I'm trying to say here that one must base the choice of language on a 
project by project basis.  That the program must be secure is no reason 
to jetison C straight away, as there are way too many other factors that 
come into play.  Look at the project and the language will fall out.

If I was to kill Python (or any other scripting language) then one need 
only mention speed as an absolute requirement.  But, if speed wasn't an 
issue then a scripting language would still be in play.  I'd also like 
to mention that one need not have to choose between the two as one can 
embed Python in C.  Use C for the speed sensitive parts and Python for 
the others.  For instance, many games (which depend on high frame rates) 
use Python in parts of them.


I'd like to say at this point, since I'm probably coming off as 
anti-Python to some, that I do love the language.  In fact I recommend 
it to anyone that wishes to learn programming as it repels many bad 
habits.  I'm also using it for multiple projects that I have going right 
now.

But, that being said, I must say that it does have its limitations, just 
like any other language.  I'm just defending others that I don't think 
have some limitations that others think that they do.  So, with that in 
mind, I think that this discussion has reached an opinion level and thus 
IMHO, will bear no futher fruit.

More information about the Python-list mailing list