On Sat, Jun 23, 2018 at 01:33:59PM +1200, Greg Ewing wrote: > Chris Angelico wrote: > >Downside: > >You can't say "I'm done with this string, destroy it immediately". > > Also it would be hard to be sure there wasn't another > copy of the data somewhere from a time before you > got around to marking the string as sensitive, e.g. > in a file buffer.
Don't let the perfect be the enemy of the good. We know there's at least one place that a string could leak private information. Just because there could hypothetically be other such places, doesn't make it useless to wipe that known potential leak. Attackers are not always omniscient. Even if an application leaks private data in ten places, some attacker may only know of, or be capable of, attacking *one* leak. If we can, we ought to plug it, and leave those hypothetical other leaks for another day. (Burglars can lift the tiles off my roof, climb into the ceiling, and hence down into my house. Nevertheless I still lock my front door.) -- Steve _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
