Hi, I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue. Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk. Third, I'm also looking for a document explaining "how Python is secure" (!). If an user can run arbitrary Python code, we know that it can do anything (read/remove any file, create/kill any process, read/write anywhere in memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also working on sandboxing using two interpreters: one has high priviledge and execute instructions from the second interpreter (after checking the permissions and arguments). So is there somewhere a document to explain to current status of Python security? -- Victor Stinner aka haypo http://www.haypocalc.com/blog/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
