[Edu-sig] Re: python vs php5

Michael McLay mmclay at comcast.net
Thu Dec 4 10:49:03 EST 2003 

On Wednesday 03 December 2003 06:09 pm, Lee Harr wrote:
> >i've heard that php5 will include declaration of attributes which are
> >private,
> >public and protected... aside from that interfaces which will be
> >implemented by
> >a class can also be created...
> >
> >in line with OO principles, wouldnt these features be good if implemented
> >in
> >python???

This question be more appropriate for the main python mailing list.

>
> You may want to join this list:
>
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/python-interfaces
>
> which has been set up to talk about interfaces in python. There are at
> least three interface systems already (zope, twisted, and pyprotocols).
>
> I think that python will bring some very interesting developments to
> interfaces, but I don't think that excessive restrictions will be part of
> the mix. Instead, it will be more about making systems more flexible
> and more easily extensible by easing discovery of new things that
> support the interfaces you are interested in.

Interface definitions and the ability to make some members of a class private 
or protected are separate issues. The jury is still out on how Python 
interfaces will be defined. Python has had private members dating back to 
around Python 1.5. They aren't used or talked about much. Probably because it 
is very easy to subvert the minimal protection they provide to the class 
designer. It is also probably the case that private and protected are an over 
hyped and over used feature in Java and C++. In what sense do they protect 
your program? 

A recent article [1] on using Java describes how to use reflection to subvert 
access protection for unit testing. The article shows how to peek inside an 
object to "get" or "set" a private or protected member. The article states, 
"the [Java] security layer preventing you from accessing private members is 
only optional, and can be turned off." (It is only optional for programs that 
are not executed as applets. The Java Security Manager enforces access 
control on unsigned applets. Application that run signed applets can set the 
access rules for the applets.)

So the protected and private members of Java aren't as protected and private 
as might be expected. For trusted code these members are no more private and 
protected than the private types in Python that can be defined using the "__"  
prefix. (It is more work to get and set the members, but they are not safer 
than Python.)

The notion of making some members private and protected are in conflict with 
the introspection capability of Python (as well as reflection in Java). It 
has been said that Python is for "consenting adults".  (It's probably not the 
best phrase for capturing the idea.) Python trusts programmers to not do 
stupid things by subverting the minimal protection provided by the "__" 
prefix. People who bypass this protection know that bad things can happen. 

Using the private and protected declarations in a language as a security 
measure in a dynamic language is not a reliable way to prevent promiscuous 
programming. Stronger measure are needed, such building a sandbox in which 
the untrusted code is executed in a separate physical address space. Another 
approach is to provide a weakened language parser that limits potential 
problems caused by untrusted code. It is my understanding that Zope security 
for less trustworthy code uses a hobbled parser that limits the available 
Python language features. This includes turning off introspection features.

Why do you think adding private and protected members would make Python a 
better language? Would it be better, or just more like other language? Would 
it be better, or just harder to learn?

[1] http://www.onjava.com/pub/a/onjava/2003/11/12/reflection.html

More information about the Edu-sig mailing list