I should point out that I really wasn't intending to suggest usage of the "safe eval" as a solution to the problem presented, but felt it was worth presenting to the list anyway...and got my real message confused. For games I've implicitly decided to favor simplicity of implementation over absolute security, for reasons that are more ideological than technical. My thinking is thus:
1. The untrusted code has to be explicitly downloaded - it's not random network traffic, neither is it put up against some immediate gateway to data like a server. Once you break through Python, all the restrictions are in the OS. 2. This is the exact same security issue the user faces when running any downloaded executable currently - without thoroughly scanning the code beforehand, there's no telling what the program will do. So while this solution is no *better* than running a downloaded game, you can't construe it as being *worse*. The only "trust" one can put in downloaded games is that of branding and communal relationships. Thus my rationale is not really to be secure, but to keep people from shooting themselves in the foot. If they really want to do something harmful, it'll happen. Security is, in a practical sense, a perpetual battle, not a "do it right and it's solved forever" kind of problem. I've read the speculations toward a "true" safe subinterpreter in Python 3000, and I figure that should it come along I can move the code there without issue(other than general code breakage stuff). Until then, I'm turning my back to the problem, because I have put other priorities first. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
