On Wed, May 29, 2019 at 10:22:31PM +0100, Barry wrote: > Serhiy, I think, is conflating two things. > 1. How to write software robust aginst attack. > 2. How to replace a symlink atomically.
I don't have an opinion on whether Serhiy is right or wrong. > The only reason 1 is a problem is that the application is not in > control of its file space which I would suggest means you already > lost. > > I think the OP wants a soution to 2, In the bug report Tom linked to initially: https://bugs.python.org/issue36656 he clearly references an attacker overwriting the file, rather than an accidental overwrite. So I think #1 is relevant -- except that Serhiy makes a good point that atomicity doesn't solve #1. I admit to a preference for atomic file operations where possible. Atomic operations are generally better, because they either succeed or fail, they don't half succeed and leave detritus lying around that you have to clean up. That's a good thing. No offense intended to Serhiy... I don't know why the concept is so controversial. I feel that had a core dev just gone ahead and implemented this behaviour either in shutils or os.symlink, nobody would have objected and asked for it to be removed. Its only because Tom has to (a) ask permission and (b) discuss the design first that are we having the debate. Making things atomic may not be a solution to every problem, but nor is it harmful and something we want to avoid. I can understand Serhiy saying "I don't care to implement this myself, and I won't review the PR, let somebody else do it" but I'm not sure why he is objecting to a volunteer willing to do the job. But since Serhiy has objected, Tom has to respond to those objections. Serhiy is one of the most productive and most respected of the core devs, and right or wrong he cannot be ignored. -- Steven _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/