[Zope-dev] uuid.UUID as a rock in zope.security
Shane Hathaway
shane at hathawaymix.org
Fri Apr 10 15:20:29 EDT 2009
Martijn Faassen wrote:
> Stephan Richter wrote:
>> On Friday 10 April 2009, Jim Fulton wrote:
>>>> Unfortunately these are ZC's use cases.
>>> They are not just ZC's use cases.
>> Keas is relying on that safety heavily too. Anyone who wants to build a secure
>> DSL based on Python really wants zope.security.
>
> Okay, second case of such usage noticed.
>
> One thing that worries me is that PyPy folks keep saying it probably
> isn't really secure, though they refuse to specify why not when Chris
> Withers tried to find out last year at EuroPython.
I suspect that's because Python allows anything by default;
zope.security and RestrictedPython only provide a way to close known
holes. The security model of Javascript running in a browser is very
similar, though, and that seems to be good enough for most people.
Shane
More information about the Zope-Dev
mailing list