[Python-ideas] Implement POSIX ln via shutil.link and shutil.symlink
Steven D'Aprano
steve at pearwood.info
Wed May 29 20:49:52 EDT 2019
On Wed, May 29, 2019 at 10:22:31PM +0100, Barry wrote:
> Serhiy, I think, is conflating two things.
> 1. How to write software robust aginst attack.
> 2. How to replace a symlink atomically.
I don't have an opinion on whether Serhiy is right or wrong.
> The only reason 1 is a problem is that the application is not in
> control of its file space which I would suggest means you already
> lost.
>
> I think the OP wants a soution to 2,
In the bug report Tom linked to initially:
https://bugs.python.org/issue36656
he clearly references an attacker overwriting the file, rather than an
accidental overwrite. So I think #1 is relevant -- except that Serhiy
makes a good point that atomicity doesn't solve #1.
I admit to a preference for atomic file operations where possible.
Atomic operations are generally better, because they either succeed or
fail, they don't half succeed and leave detritus lying around that you
have to clean up. That's a good thing.
No offense intended to Serhiy... I don't know why the concept is so
controversial. I feel that had a core dev just gone ahead and
implemented this behaviour either in shutils or os.symlink, nobody would
have objected and asked for it to be removed. Its only because Tom has
to (a) ask permission and (b) discuss the design first that are we
having the debate.
Making things atomic may not be a solution to every problem, but nor is
it harmful and something we want to avoid. I can understand Serhiy
saying "I don't care to implement this myself, and I won't review the
PR, let somebody else do it" but I'm not sure why he is objecting to a
volunteer willing to do the job.
But since Serhiy has objected, Tom has to respond to those objections.
Serhiy is one of the most productive and most respected of the core
devs, and right or wrong he cannot be ignored.
--
Steven
More information about the Python-ideas
mailing list