Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Steven D'Aprano
On Thu, 28 Jun 2018 18:33:31 -0700, Ethan Furman wrote:

> On 06/28/2018 05:58 PM, Ben Finney wrote:
> 
>> So I remain dumbfounded as to why anyone would want a class to *both*
>> be an enumerated type, *and* have callable attributes in its API.
> 
> Perhaps I am using Enum incorrectly, but here is my FederalHoliday Enum.
>  Note that date(), next_business_day, and year() are all callables.  The
> AutoEnum parent assigns values from 1 to n for each member.  It's at
> Stackoverflow [1] if you'd like up- or down-vote it.  ;)

It isn't clear to me why FederalHoliday is an Enum, especially as the API 
seems extremely baraque. 


> class FederalHoliday(AutoEnum):
>  NewYear = "First day of the year.", 'absolute', Month.JANUARY, 1
>  MartinLutherKingJr = "Birth of Civil Rights leader.", \
>  'relative', Month.JANUARY, Weekday.MONDAY, 3 
...


I think I get the idea... the first field is a description, the second 
tells us what month the holiday is in (hope you don't have to deal with 
movable holidays which can change months...). I'm not quite sure what the 
"absolute/relative" flags are (or why they are strings instead of enums). 
Possibly they determine whether the next field is treated as an ordinal 
(first, second, third...) or numerical (1, 2, 3...) value. 

But what isn't clear to me is why these holidays are *enums*. They're 
obviously date instances, with a rich API (at least three methods) and an 
extremely complex constructor (one with variable numbers of arguments).

What makes them enums? Under what circumstances would you be comparing 
something to MartinLutherKingJr (Day) without caring about a *specific* 
Martin Luther King Jr Day?




-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: EXTERNAL: OSError: [Errno 48] Address already in use

2018-06-28 Thread Marko Rauhamaa
Dan Stromberg :
> [on how SO_REUSEADDR is a security risk]

> Start an echo server process P that listens on tcp/.
>
> Initiate a connection from a client machine to process P at tcp/. It
> works as expected.
>
> Kill P.
>
> Initiate a connection from a client machine to process P at tcp/.  It
> gives a connection refused as expected.
>
> If someone else comes along soon after and starts a different echo server
> process Q at tcp/ on the same server, it starts up immediately if P
> used SO_REUSEADDR.
>
> Then initiate a connection from the same (or different) client machine to
> process P (which no longer exists).  Q gets the data intended for P.

Well, the same security issue can be demonstrated without SO_REUSEADDR:

   DON'T start an echo server process P that listens on tcp/.

   Initiate a connection from a client machine to process P at tcp/.  It
   gives a connection refused as expected.

   If someone else comes along and starts an echo server process Q at
   tcp/ on the same server, it starts up immediately.

   Then initiate a connection from the same (or different) client machine to
   process P (which never existed).  Q gets the data intended for P.


The security issue can be real but is not directly related with
SO_REUSEADDR.


Marko
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: [OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Terry Reedy

On 6/28/2018 9:05 PM, Avon wrote:

On 06/28/18, Grant Edwards pondered and said...
  
  GE> OK, I've got to ask...

  GE> Why are there still BBSes?
  GE>
  GE> Who even has a modem these days?  [OK, I'll admit my 11 year old
  GE> Thinkpad T500 has a built-in POTS modem, but it's never been used.]

Hi Grant.

How long do you have? :)

Most BBS are connected using the internet these days and mostly run for fun,
nostalgic and curiosity reasons by former and new sysops. Most systems don't
enjoy the caller numbers of the heyday 1990s but rather are largely used by
the sysop to engage in message networks and the BBS community that exists in
2018.

I was a former sysop in my 20s in the 1990s and got back in to it around
2013. What I have found is that the scene is again growing, mostly due to
nostalgia, but also out of a desire to escape big-brother social media e.g
Facebook.


Being able to send messages by ham radio is useful in disasters as well 
as nostalgic.  I just don't know what people are doing these days.



People also like the simple UI for reading messages etc.

As to the how... well, messages / files etc. are now largely sent via the
internet not POTS (plain old telephone) and BinkP is a popular protocol using
port 24554.

BBS software is still under active development by a few authors who have kept
their offerings in step with 2018. So I use Mystic BBS (mysticbbs.com) and
you will see it offers a bunch of services and runs on Linux, Windows,
Raspberry Pi. I also run a message network called fsxNet (fun, simple,
experimental network) that has nodes in USA, New Zealand, Europe, Asia etc.
you can find out more by heading to bbs.nz or download an infopack at
bbs.nz/fsxnet.zip. Lastly info about setting up Mystic can be found on a
YouTube channel I set up called Mystic Guy (there ends the sales pitch :))

Other developers of BBS software active in 2018 include Synchronet BBS, now
offerings including Magicka BBS, Enigma1/2 BBS... and WWIV is still about too.

Hope that helps, perhaps intrigues you further. I'm happy to answer any
questions and/or offer support to folks interested in this stuff. Python is
being added to Mystic as a scripting tool by the author at the moment so this
newsgroup / mail list is of interest to a bunch of folks :)

Best, Paul




--
Terry Jan Reedy

--
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ben Finney
Ethan Furman  writes:

> On 06/28/2018 05:58 PM, Ben Finney wrote:
>
> > So I remain dumbfounded as to why anyone would want a class to *both* be
> > an enumerated type, *and* have callable attributes in its API.
>
> Perhaps I am using Enum incorrectly, but here is my FederalHoliday
> Enum. […]

Thanks for the example. Yes, my personal impression is that class
is not a good use of enum.Enum (nor enum.AutoEnum).

To inherit from enum.Enum (or enum.AutoEnum) signals, to my mind, that
the class is not really intended as a typical Python class, but instead
is intended to be that special beast known as an “enumerated type” which
has little behaviour other than being a namespace for constant values.

Adding all that other stuff just makes it quite unclear what the class
means any more.

-- 
 \ “Pinky, are you pondering what I'm pondering?” “I think so, |
  `\ Brain, but me and Pippi Longstocking — I mean, what would the |
_o__)  children look like?” —_Pinky and The Brain_ |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ethan Furman

On 06/28/2018 05:58 PM, Ben Finney wrote:


So I remain dumbfounded as to why anyone would want a class to *both* be
an enumerated type, *and* have callable attributes in its API.


Perhaps I am using Enum incorrectly, but here is my FederalHoliday Enum.  Note that date(), next_business_day, and 
year() are all callables.  The AutoEnum parent assigns values from 1 to n for each member.  It's at Stackoverflow [1] if 
you'd like up- or down-vote it.  ;)


---

class FederalHoliday(AutoEnum):
NewYear = "First day of the year.", 'absolute', Month.JANUARY, 1
MartinLutherKingJr = "Birth of Civil Rights leader.", 'relative', 
Month.JANUARY, Weekday.MONDAY, 3
President = "Birth of George Washington", 'relative', Month.FEBRUARY, 
Weekday.MONDAY, 3
Memorial = "Memory of fallen soldiers", 'relative', Month.MAY, 
Weekday.MONDAY, 5
Independence = "Declaration of Independence", 'absolute', Month.JULY, 4
Labor = "American Labor Movement", 'relative', Month.SEPTEMBER, 
Weekday.MONDAY, 1
Columbus = "Americas discovered", 'relative', Month.OCTOBER, 
Weekday.MONDAY, 2
Veterans = "Recognition of Armed Forces service", 'relative', 
Month.NOVEMBER, 11, 1
Thanksgiving = "Day of Thanks", 'relative', Month.NOVEMBER, 
Weekday.THURSDAY, 4
Christmas = "Birth of Jesus Christ", 'absolute', Month.DECEMBER, 25

def __init__(self, doc, type, month, day, occurance=None):
self.__doc__ = doc
self.type = type
self.month = month
self.day = day
self.occurance = occurance

def date(self, year):
"returns the observed date of the holiday for `year`"
if self.type == 'absolute' or isinstance(self.day, int):
holiday =  Date(year, self.month, self.day)
if Weekday(holiday.isoweekday()) is Weekday.SUNDAY:
holiday = holiday.replace(delta_day=1)
return holiday
days_in_month = days_per_month(year)
target_end = self.occurance * 7 + 1
if target_end > days_in_month[self.month]:
target_end = days_in_month[self.month]
target_start = target_end - 7
target_week = list(xrange(start=Date(year, self.month, target_start), 
step=one_day, count=7))
for holiday in target_week:
if Weekday(holiday.isoweekday()) is self.day:
return holiday

@classmethod
def next_business_day(cls, date, days=1):
"""
Return the next `days` business day from date.
"""
holidays = cls.year(date.year)
years = set([date.year])
while days > 0:
date = date.replace(delta_day=1)
if date.year not in years:
holidays.extend(cls.year(date.year))
years.add(date.year)
if Weekday(date.isoweekday()) in (Weekday.SATURDAY, Weekday.SUNDAY) 
or date in holidays:
continue
days -= 1
return date

@classmethod
def year(cls, year):
"""
Return a list of the actual FederalHoliday dates for `year`.
"""
holidays = []
for fh in cls:
holidays.append(fh.date(year))
return holidays

--
~Ethan~


[1] https://stackoverflow.com/a/22594360/208880
--
https://mail.python.org/mailman/listinfo/python-list


Re: [OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Avon
On 06/28/18, Grant Edwards pondered and said...
 
 GE> OK, I've got to ask...
 GE> Why are there still BBSes?
 GE> 
 GE> Who even has a modem these days?  [OK, I'll admit my 11 year old
 GE> Thinkpad T500 has a built-in POTS modem, but it's never been used.]

Hi Grant.

How long do you have? :)

Most BBS are connected using the internet these days and mostly run for fun,
nostalgic and curiosity reasons by former and new sysops. Most systems don't
enjoy the caller numbers of the heyday 1990s but rather are largely used by
the sysop to engage in message networks and the BBS community that exists in
2018.

I was a former sysop in my 20s in the 1990s and got back in to it around
2013. What I have found is that the scene is again growing, mostly due to
nostalgia, but also out of a desire to escape big-brother social media e.g
Facebook.

People also like the simple UI for reading messages etc.

As to the how... well, messages / files etc. are now largely sent via the
internet not POTS (plain old telephone) and BinkP is a popular protocol using
port 24554.

BBS software is still under active development by a few authors who have kept
their offerings in step with 2018. So I use Mystic BBS (mysticbbs.com) and
you will see it offers a bunch of services and runs on Linux, Windows,
Raspberry Pi. I also run a message network called fsxNet (fun, simple,
experimental network) that has nodes in USA, New Zealand, Europe, Asia etc.
you can find out more by heading to bbs.nz or download an infopack at
bbs.nz/fsxnet.zip. Lastly info about setting up Mystic can be found on a
YouTube channel I set up called Mystic Guy (there ends the sales pitch :))

Other developers of BBS software active in 2018 include Synchronet BBS, now
offerings including Magicka BBS, Enigma1/2 BBS... and WWIV is still about too.

Hope that helps, perhaps intrigues you further. I'm happy to answer any
questions and/or offer support to folks interested in this stuff. Python is
being added to Mystic as a scripting tool by the author at the moment so this
newsgroup / mail list is of interest to a bunch of folks :)

Best, Paul

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Where's the junk coming from?

2018-06-28 Thread Avon
On 06/28/18, Tim Golden pondered and said...
 
 TG> (Wearing my List Moderator hat)
 TG> 
 TG> Thanks very much for addressing this for us, and to Cameron and others
 TG> who did the detective work. I admit I assumed at first it was some kind
 TG> of odd attack perhaps related to a dissatisfied poster so I'm glad it
 TG> was a misconfiguration issue.

Hi Tim.

You're most welcome. I try to jump on anything amiss as soon as I know about
it. At the time of posting this reply I have not re-linked the node with the
issue to my NNTP server but will likely do so in a few more days time. I just
want to give him some time to sort his end out first :)

Best wishes from New Zealand

Cheers, Paul.

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Steven D'Aprano
On Thu, 28 Jun 2018 20:34:58 +1000, Ben Finney wrote:

> Ethan Furman  writes:
> 
>> Consider the following Enum definition:
>>
>>   class Color(Enum):
>>   RED = 1
>>   GREEN = 2
>>   BLUE = 3
>>   @property
>>   def lower(self):
>>   return self.name.lower()
>>   def spam(self):
>>   return "I like %s eggs and spam!" % self.lower
>>   class SomeClass:
>>   pass
> 
> That dumbfounds my intuitions.
> 
> Specifically, I can't make sense of why someone would want to have a
> class that is simultaneously behaving as an enumerated type, *and* has
> an API of custom callable attributes.


The PEP gives an example of enumerated members that themselves have 
methods.

https://www.python.org/dev/peps/pep-0435/


There was another example somewhere (I don't remember where) of an 
enumeration of the planets, where planets can have attributes and methods:

Planet.MARS.mass
Planet.JUPITER.moons()


which is no more weird than this:

class Planet(Enum):
MARS = "the red planet"

Planet.MARS.upper()


-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: EXTERNAL: OSError: [Errno 48] Address already in use

2018-06-28 Thread Dan Stromberg
On Thu, Jun 28, 2018 at 1:27 PM, Marko Rauhamaa  wrote:

> Dan Stromberg :
> > On Wed, Jun 27, 2018 at 10:31 PM, Marko Rauhamaa 
> wrote:
> >> Dan Stromberg :
> >> >> > The problem can be solved by turning on the SO_REUSEADDR flag of
> >> >> > the socket.
> >> > BTW, it's a security feature you're turning off. If you're on a
> >> > multiuser box, it prevents a second user from stealing lingering
> >> > connections from a first user on the same port.
> >>
> >> Can you provide a brief proof of concept?
> >>
> > https://stackoverflow.com/questions/19960475/problems-
> related-to-so-reuseaddr
>
> I'm sorry but I couldn't find a working example behind the link. Could
> you demonstrate the problem with a few lines of Python.

It's more practical to use English:

Start an echo server process P that listens on tcp/.

Initiate a connection from a client machine to process P at tcp/. It
works as expected.

Kill P.

Initiate a connection from a client machine to process P at tcp/.  It
gives a connection refused as expected.

If someone else comes along soon after and starts a different echo server
process Q at tcp/ on the same server, it starts up immediately if P
used SO_REUSEADDR.

Then initiate a connection from the same (or different) client machine to
process P (which no longer exists).  Q gets the data intended for P.

Naturally, for an echo server, we're just illustrating. But if it were a
daemon that supports password-based authentication, it could be a problem.

As security issues go, it's not the most severe one you'll ever see.  It
pretty much assumes there are people on your server who you don't trust.

This is not Python-specific.

That's about all I have the patience for.  I'm not sure I'm going to write
a few programs to demonstrate the issue.  It's really not a "few lines of
python".
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Steven D'Aprano
On Thu, 28 Jun 2018 08:36:47 -0700, Ethan Furman wrote:

>>> Answer:
>>>
>>> - RED, GREEN, and BLUE are members
>>> - lower and spam() are not
>>> - SomeClass /is/ a member (but not its instances)
>>
>> Is that by accident or by design?
> 
> By design.  It is entirely possible to want an enum of types (int,
> float, str, etc.).

Seems strange to me. Why enum of types but not an enum of functions or 
methods?

Perhaps you could have had an explicit decorator?


class Colours(Enum):
RED = 1

class Spam(object):
pass

@Enum.member
class Eggs(object):
pass


Colours.Eggs will be an enum member, Spam will not be.

But I suppose backwards compatibility rules that out.



>> class Colour(Enum):
>>  class PrimaryColour(Enum):
>>  RED = 1
>>  GREEN = 2
>>  BLUE = 3
>>  OCTARINE = 8
>>  class SecondaryColour(Enum):
>>  PUCE = 101
>>  MAUVE = 102
>>  BEIGE = 103
>>  TEAL = 104
> 
> This really seems to be the sticking point -- what should an Enum of
> Enums look like?  For example, should the above do
> 
>--> list(Colour)
>[Colour.PrimaryColour <...>, Colour.SecondaryColour <...>]
> 
> or something else?

I would expect the inner classes to disappear:

[Colour.RED, Colour.GREEN, ... Colour.PUCE, ... ]

unless I explicitly inspect their types:

type(Colour.RED)
=> returns Colour.PrimaryColour


But maybe there's another way to get that same effect?

# ???
class PrimaryColour(Enum):
RED = 1
...
class SecondaryColour(Enum):
...

Colour = PrimaryColour + SecondaryColour




-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ben Finney
Ian Kelly  writes:

> On Thu, Jun 28, 2018 at 4:38 AM Ben Finney  wrote:
> >
> > Ethan Furman  writes:
> >
> > Specifically, I can't make sense of why someone would want to have a
> > class that is simultaneously behaving as an enumerated type, *and*
> > has an API of custom callable attributes.
>
> You don't see value in enum members having properties?

Is a Python property a callable attribute?

>>> class Lorem:
... @property
... def spam(self):
... print(self)
... 
>>> foo = Lorem()
>>> foo.spam()
<__main__.Lorem object at 0x7ff5078bc710>
Traceback (most recent call last):
  File "", line 1, in 
TypeError: 'NoneType' object is not callable

It seems that no, a property is not a callable attribute.

So I remain dumbfounded as to why anyone would want a class to *both* be
an enumerated type, *and* have callable attributes in its API.

-- 
 \  “It's dangerous to be right when the government is wrong.” |
  `\   —Francois Marie Arouet Voltaire |
_o__)  |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: I lost nearly all my modules installing 3.7

2018-06-28 Thread Terry Reedy

On 6/28/2018 6:45 PM, Elliott Roper wrote:

On 28 Jun 2018, Terry Reedy wrote



There is a pip command for making an editable file of installed
packages. Run that in 3.6, perhaps after updating everything.


There is another pip command for using that file to install everything
listed. Run that in 3.7.


I can't see the pip commands you mention for writing a file from 3.6

 and

reading it back for 3.7
Is it pip freeze -r   followed by pip install -r? If so, what is
meant by 'the given requirements file' in the freeze options?


'pip freeze' sends the requirements list to stdout in alphabetical 
order.  You redirect or copy-paste to a file.  I have not done this, but 
apparently -r  uses file as a template for selecting and ordering 
the requirements.  I presume pip will ignore any versions in the 
template and list the actual installed versions.


I believe you got the install right.


When I look inside site-packages in ~/Library (see below) I see many packages
that pip lists, but by no means all. F'instance numpy and scipy. They can be
found in /Library's site-packages however.




My understanding is that the whole $PATH is searched in order to resolve an
import, but it isn't.


The OS searches the OS path, which you listed above.
Python searches its sys.path, which it creates when started.
Run >>>  import sys; sys.path to see the contents.
Unless macOS is more different than I think, you should see a 3.7
site-packages when running 3.7.


Aha! That is most helpful

Python 3.7.0 (v3.7.0:1bf9cc5093, Jun 26 2018, 23:26:24)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(python prompt)>>>  import sys
.>>>sys.path
['', '/Library/Frameworks/Python.framework/Versions/3.7/lib/python37.zip', #
no such file


sys.path included directories that might be present.  In this case, a 
zipped version of the stdlib.



'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7', # 207
items, none matching pip intstallable modules
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/lib-
dynload',# 69 items, none matching pip installable modules
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-
packages'] # just pip and setuptools are in here
.>>>  ^D


site-packages is the default for 3rd parth packages.  It can have .pth 
files that extend the directory to effectively include other directories.



EiPro:~ elliott$ python3.6
Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 05:52:31)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
.>>>  import sys
(python prompt)>>>  sys.path
['', '/Library/Frameworks/Python.framework/Versions/3.6/lib/python36.zip', #
no such file
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6', # 207
items, none matching pip intstallable modules
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/lib-
dynload',# 65 items, none matching pip installable modules
'/Users/elliott/Library/Python/3.6/lib/python/site-packages', # 103 items
some matching items that appear in pip3.6 list
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-
packages'] # numpy, scipy, pandas etc. are here. These might have been
modules I needed sudo -H to update
.>>>

What I did not make clear that my 'elliott' user is not an Administrator. If
I log into my admin account (which I hardly ever do), it thinks my Python3 is
3.7, list there also shows the hugely abbreviated collection of modules
namely pip and setuptools. pip list shows a list of modules so old as to be
unrecognisable.


I expect the system install to be 2.7, python3 link to 3.7 either 
because that is the most recent 3x installed or the most recent version.



It looks like I have a tangled mess. Is there a way of getting rid of all the
pythons except Apple's museum piece and starting again? It is a hobby for me.
I have no need for backward compatibility. I think if I could install 3.7
site wide from my non-admin account, I would be happiest. The standard
install pretty much worked up to 3.6
pip
Would it be safe to delete everything on python's sys.path and re-install
from the download .pkg


I suspect you can get rid of 3.6, 3.5, 3.4, but I am not a Mac user.  I 
hope someone who is answers.


--
Terry Jan Reedy

--
https://mail.python.org/mailman/listinfo/python-list


Re: EXTERNAL: OSError: [Errno 48] Address already in use

2018-06-28 Thread Steven D'Aprano
On Thu, 28 Jun 2018 23:27:38 +0300, Marko Rauhamaa wrote:

> Dan Stromberg :
>> On Wed, Jun 27, 2018 at 10:31 PM, Marko Rauhamaa 
>> wrote:
>>> Dan Stromberg :
>>> >> > The problem can be solved by turning on the SO_REUSEADDR flag of
>>> >> > the socket.
>>> > BTW, it's a security feature you're turning off. If you're on a
>>> > multiuser box, it prevents a second user from stealing lingering
>>> > connections from a first user on the same port.
>>>
>>> Can you provide a brief proof of concept?
>>>
>> https://stackoverflow.com/questions/19960475/problems-related-to-so-
reuseaddr
> 
> I'm sorry but I couldn't find a working example behind the link. Could
> you demonstrate the problem with a few lines of Python.

Do you think attackers are limited to a few lines of Python?

If you are asking from academic curiosity, limited by care factor ("I 
care about this enough to read a few lines of Python but not 100 lines or 
20 lines of C...") that's fair enough.

But if you're trying to express skepticism that this is a genuine 
concern, then "a few lines of Python" is an unreasonable limitation.




-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Jim Lee



On 06/28/18 16:44, Steven D'Aprano wrote:



I agree with you that it's a bad idea.

Aside from the little fact that you described concerns about using Python
code for settings as "silly".



Umm, no.  I said that worrying about arbitrary code execution in an 
interpreted language seemed silly.  Please be more accurate in your 
paraphrases.




Data validation is a red herring: it is no more or less necessary to
validate user settings regardless of their source. Whether they come from
reading an INI file or from importing a Python file, you still need to
check that they have valid values.


You are making a strawman argument, since you are (again) 
misrepresenting what I said.  Therefore, I will give you no more 
opportunities.


-Jim

--
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Steven D'Aprano
On Thu, 28 Jun 2018 10:58:36 -0700, Jim Lee wrote:

> On 06/28/18 07:30, Grant Edwards wrote:
>> I still maintain it's a bad idea to run arbitrary code found in
>> user-edited config files.
>>
>> There may be cases where somebody has figured out how to muck with a
>> config file that's shared among multiple users, or has tricked somebody
>> into including something from an untrusted source in an include file.
>>
>> Or there could be users who don't know what they're doing and
>> unwittingly type something harmful into a config file:
>>
>>bad_command = os.system("rm -rf ~/*")
>>
>> Yes, I know, users would never be that dumb...
>>
> I agree with you that it's a bad idea.

Aside from the little fact that you described concerns about using Python 
code for settings as "silly".


> I was pointing out that I look
> at it from an input validation viewpoint rather than a security
> viewpoint - that's all.

You have made it abundantly clear that you aren't thinking about security.


> Absolute security isn't a solvable problem.  It isn't even a technical
> problem.  But that's a discussion for another time...


Nobody is talking about "absolute security".

We're talking about *one* aspect of security: given the need to collect 
user-supplied settings, is it acceptable to get the settings from 
executable Python code?

Data validation is a red herring: it is no more or less necessary to 
validate user settings regardless of their source. Whether they come from 
reading an INI file or from importing a Python file, you still need to 
check that they have valid values.




-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: I lost nearly all my modules installing 3.7

2018-06-28 Thread Elliott Roper
On 28 Jun 2018, Terry Reedy wrote
(in article):

> On 6/28/2018 1:08 PM, Elliott Roper wrote:
> > I have done something stupid. Don't know what.
>
> It appears that you ran 3.7 expecting that modules installed for 3.6
> would magically be available for 3.7.
Yes indeed. It worked for 3.4, 3.5, and 3.6
>
>
> There is a pip command for making an editable file of installed
> packages. Run that in 3.6, perhaps after updating everything.
>
>
> There is another pip command for using that file to install everything
> listed. Run that in 3.7.

I can't see the pip commands you mention for writing a file from 3.6 and 
reading it back for 3.7
Is it pip freeze -r   followed by pip install -r? If so, what is 
meant by 'the given requirements file' in the freeze options?
>
>
> > My $PATH looks like this
> > XXXMac:~ elliott$ echo $PATH
> > /Library/Frameworks/Python.framework/Versions/3.7/bin:/Library/Frameworks/Py
> > th
> > on.framework/Versions/3.6/bin:/Library/Frameworks/Python.framework/Versions/
> > 3.
> > 5/bin:/Library/Frameworks/Python.framework/Versions/3.4/bin:/Users/elliott/b
> > in
> > > /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Library/TeX/texbin:/usr/local
> > > /MacGPG2/bin:/Applications/Wireshark.app/Contents/MacOS:/usr/local/git/bin
> >
> > pip3 list or pip3.7 list gives me
> > Package Version
> > -- ---
> > pip 10.0.1
> > setuptools 39.0.1
>
> This is the content of the 3.7 site-packages.
>
> > > > > import numpy as np
> > Traceback (most recent call last):
> > File "", line 1, in 
> > ModuleNotFoundError: No module named 'numpy'
> > So it is not lying to me!!!
> >
> > pip list or pip3.6 list
> > gives the whole caboodle I was expecting with a far smaller version number
> > for setuptools.
>
> The content of the 3.6 site-packages directory.

When I look inside site-packages in ~/Library (see below) I see many packages 
that pip lists, but by no means all. F'instance numpy and scipy. They can be 
found in /Library's site-packages however.
>
>
> > My understanding is that the whole $PATH is searched in order to resolve an
> > import, but it isn't.
>
> The OS searches the OS path, which you listed above.
> Python searches its sys.path, which it creates when started.
> Run >>>  import sys; sys.path to see the contents.
> Unless macOS is more different than I think, you should see a 3.7
> site-packages when running 3.7.

Aha! That is most helpful

Python 3.7.0 (v3.7.0:1bf9cc5093, Jun 26 2018, 23:26:24)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(python prompt)>>>  import sys
.>>>sys.path
['', '/Library/Frameworks/Python.framework/Versions/3.7/lib/python37.zip', # 
no such file 
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7', # 207 
items, none matching pip intstallable modules 
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/lib-
dynload',# 69 items, none matching pip installable modules
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-
packages'] # just pip and setuptools are in here
.>>>  ^D

EiPro:~ elliott$ python3.6
Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 05:52:31)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
.>>>  import sys
(python prompt)>>>  sys.path
['', '/Library/Frameworks/Python.framework/Versions/3.6/lib/python36.zip', # 
no such file 
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6', # 207 
items, none matching pip intstallable modules 
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/lib-
dynload',# 65 items, none matching pip installable modules
'/Users/elliott/Library/Python/3.6/lib/python/site-packages', # 103 items 
some matching items that appear in pip3.6 list 
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-
packages'] # numpy, scipy, pandas etc. are here. These might have been 
modules I needed sudo -H to update
.>>>

What I did not make clear that my 'elliott' user is not an Administrator. If 
I log into my admin account (which I hardly ever do), it thinks my Python3 is 
3.7, list there also shows the hugely abbreviated collection of modules 
namely pip and setuptools. pip list shows a list of modules so old as to be 
unrecognisable.

It looks like I have a tangled mess. Is there a way of getting rid of all the 
pythons except Apple's museum piece and starting again? It is a hobby for me. 
I have no need for backward compatibility. I think if I could install 3.7 
site wide from my non-admin account, I would be happiest. The standard 
install pretty much worked up to 3.6
pip
Would it be safe to delete everything on python's sys.path and re-install 
from the download .pkg
>
>
> > It might be relevant that I have had a bit of hassle installing module
> > updates in the past. I would get an error saying the module version being
> > replaced could not be deleted with permissions errors which I resolve

Re: [OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Jim Lee



On 06/28/18 11:45, Grant Edwards wrote:

On 2018-06-28, Jim Lee  wrote:


On 06/28/18 07:34, Grant Edwards wrote:

OK, I've got to ask...

Why are there still BBSes?

Who even has a modem these days?  [OK, I'll admit my 11 year old
Thinkpad T500 has a built-in POTS modem, but it's never been used.]


BBS's are most often connected to via telnet these days.  There are
still hundreds (if not thousands) of them.

Interesting.  In my exerience a BBS was just a poor substitute for an
FTP site, a mailing list and Usenet.

I'm a little baffled as to what "added value" they provide these days,
but people are probably equally baffled why I choose to participate in
mailing lists via a text-mode NNTP client rather that some
pointy-clicky app or website.

Added value?  BBS, Usenet, IRC, Twitter, whatever - they're all just 
forms of communication.


BBS's were around before ARPANET became the Internet - before ftp, 
usenet, http, and personal computers.  I first started using them in 
1976-77 (with a 300 baud modem and a VT-52 terminal), and ran my own in 
the 80's and 90's - first on a PDP-11/23, then a Commodore 64 and later 
on an Amiga.  Some people like to keep that tradition alive.


-Jim

--
https://mail.python.org/mailman/listinfo/python-list


[ANN] PyYAML-4.1: ***RETRACTED***

2018-06-28 Thread Ingy dot Net
I am sorry to report that the PyYAML-4.1 release from 48 hours ago has been
removed from PyPI

There were too many problems to make this a viable release.

The biggest known issue with this retraction is that PyYAML will not work
with the new Python 3.7  until PyYAML-4.2 is released.
https://github.com/yaml/pyyaml/issues/126#issuecomment-401175258

We are starting work immediately on 4.2b1 prerelease series. I hope to see
4.2 released in the next few days.

Work is being coordinated on #pyyaml on irc.freenode.net and issues can be
reported and followed at https://github.com/yaml/pyyaml

Thank you for your patience.
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: EXTERNAL: OSError: [Errno 48] Address already in use

2018-06-28 Thread Marko Rauhamaa
Dan Stromberg :
> On Wed, Jun 27, 2018 at 10:31 PM, Marko Rauhamaa  wrote:
>> Dan Stromberg :
>> >> > The problem can be solved by turning on the SO_REUSEADDR flag of
>> >> > the socket.
>> > BTW, it's a security feature you're turning off. If you're on a
>> > multiuser box, it prevents a second user from stealing lingering
>> > connections from a first user on the same port.
>>
>> Can you provide a brief proof of concept?
>>
> https://stackoverflow.com/questions/19960475/problems-related-to-so-reuseaddr

I'm sorry but I couldn't find a working example behind the link. Could
you demonstrate the problem with a few lines of Python.


Marko
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: EXTERNAL: OSError: [Errno 48] Address already in use

2018-06-28 Thread Dan Stromberg
On Wed, Jun 27, 2018 at 10:31 PM, Marko Rauhamaa  wrote:

> Dan Stromberg :
> >> > The problem can be solved by turning on the SO_REUSEADDR flag of
> >> > the socket.
> > BTW, it's a security feature you're turning off. If you're on a
> > multiuser box, it prevents a second user from stealing lingering
> > connections from a first user on the same port.
>
> Can you provide a brief proof of concept?
>
https://stackoverflow.com/questions/19960475/problems-related-to-so-reuseaddr
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: OSError: [Errno 48] Address already in use

2018-06-28 Thread Dan Stromberg
On Wed, Jun 27, 2018 at 8:49 AM, T Berger  wrote:

> Why am I getting this error? I'm not sure what additional information I
> need to supply, so please let me know.


AIUI, there are 2 possible causes.  You either have some other process
listening on the requested port, or a process that Was using it no longer
is but not enough time has passed yet for the kernel to decide that the
port can safely be reused.

The former keeps two processes from trying to get data from the same port
at the same time, which could be confusing.

The latter is a security feature.  It keeps person A from starting an imap
server on port tcp/, and having person B come along and start a fake,
password-stealing imap server on the same port shortly after person A
terminates theirs (for example). There would otherwise be a window of time
during which B's imap daemon could steal passwords intended for A's imap
daemon, because remote imap clients wouldn't know about the switcheroo.
Note that even if A come back and starts their imap daemon immediately
after a crash, the kernel doesn't know if that is a legitimate or
illegitemate imap daemon, so that is blocked for a while too.

You can check if something else is listening on that port with
http://stromberg.dnsalias.org/~strombrg/What-program-is-active-on-that-port.html
(Linux and Solaris - there will likely be similar tools for other OS's).

You can eliminate the waiting period with SO_REUSEADDR (but if you have
something else listening on that port, then don't!). Example:
http://stromberg.dnsalias.org/~strombrg/max-tcp-window.html

HTH.
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: [OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Grant Edwards
On 2018-06-28, Jim Lee  wrote:
>
>
> On 06/28/18 07:34, Grant Edwards wrote:
>> OK, I've got to ask...
>>
>> Why are there still BBSes?
>>
>> Who even has a modem these days?  [OK, I'll admit my 11 year old
>> Thinkpad T500 has a built-in POTS modem, but it's never been used.]
>>
> BBS's are most often connected to via telnet these days.  There are 
> still hundreds (if not thousands) of them.

Interesting.  In my exerience a BBS was just a poor substitute for an
FTP site, a mailing list and Usenet.

I'm a little baffled as to what "added value" they provide these days,
but people are probably equally baffled why I choose to participate in
mailing lists via a text-mode NNTP client rather that some
pointy-clicky app or website.

-- 
Grant Edwards   grant.b.edwardsYow! Used staples are good
  at   with SOY SAUCE!
  gmail.com

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Jim Lee



On 06/28/18 07:30, Grant Edwards wrote:

I still maintain it's a bad idea to run arbitrary code found in
user-edited config files.

There may be cases where somebody has figured out how to muck with a
config file that's shared among multiple users, or has tricked
somebody into including something from an untrusted source in an
include file.

Or there could be users who don't know what they're doing and
unwittingly type something harmful into a config file:

   bad_command = os.system("rm -rf ~/*")

Yes, I know, users would never be that dumb...

I agree with you that it's a bad idea.  I was pointing out that I look 
at it from an input validation viewpoint rather than a security 
viewpoint - that's all.


Absolute security isn't a solvable problem.  It isn't even a technical 
problem.  But that's a discussion for another time...


-Jim

--
https://mail.python.org/mailman/listinfo/python-list


Re: [OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Jim Lee



On 06/28/18 07:34, Grant Edwards wrote:

OK, I've got to ask...

Why are there still BBSes?

Who even has a modem these days?  [OK, I'll admit my 11 year old
Thinkpad T500 has a built-in POTS modem, but it's never been used.]

BBS's are most often connected to via telnet these days.  There are 
still hundreds (if not thousands) of them.


-Jim
--
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Jim Lee



On 06/28/18 00:46, Steven D'Aprano wrote:


Yes, attacks by trusted insiders are the hardest to defend against.
Betrayal of trust sucks. Trusted users with sufficient privileges could
just modify the source code of your application or of Python itself. They
could also attack your system in a thousand different ways.

But what about untrusted users with fewer privileges? They *can't* modify
the source code of your application, or change the password on other
accounts, or read arbitrary files, or masquerade as other users. Because
they have unprivileged accounts.

So why give them the ability to escalate their privilege to that of your
application (which probably can do lots of things they can't do) by
directly executing Python code they supply?


???  I don't follow.  I never suggested allowing someone the ability to 
directly execute user-supplied Python code.  However, if they have the 
privileges necessary to run the application, I don't see the security 
risk.  Many applications have embedded scripting engines that do just that.



Your argument is akin to:

"I gave my partner a key to my house, and they could rob me blind if they
want. Since I trust them not to, there's no point in locking the door to
the house when I go out, since they have a key."



Not exactly.  The original question was about reading config variables 
from a file in Python.  That sort of thing didn't suggest (to me) a 
world-facing web app or other security-conscious situation.


It's more like leaving the door unlocked while I'm home...

-Jim

--
https://mail.python.org/mailman/listinfo/python-list


Re: I lost nearly all my modules installing 3.7

2018-06-28 Thread Terry Reedy

On 6/28/2018 1:08 PM, Elliott Roper wrote:

I have done something stupid. Don't know what.


It appears that you ran 3.7 expecting that modules installed for 3.6 
would magically be available for 3.7.


There is a pip command for making an editable file of installed 
packages.  Run that in 3.6, perhaps after updating everything.


There is another pip command for using that file to install everything 
listed.  Run that in 3.7.



My $PATH looks like this
XXXMac:~ elliott$ echo $PATH
/Library/Frameworks/Python.framework/Versions/3.7/bin:/Library/Frameworks/Pyth
on.framework/Versions/3.6/bin:/Library/Frameworks/Python.framework/Versions/3.
5/bin:/Library/Frameworks/Python.framework/Versions/3.4/bin:/Users/elliott/bin
:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Library/TeX/texbin:/usr/local/MacGPG2/bin:/Applications/Wireshark.app/Contents/MacOS:/usr/local/git/bin

pip3 list or pip3.7 list gives me
Package Version
-- ---
pip 10.0.1
setuptools 39.0.1


This is the content of the 3.7 site-packages.


import numpy as np

Traceback (most recent call last):
File "", line 1, in 
ModuleNotFoundError: No module named 'numpy'
So it is not lying to me!!!

pip list or pip3.6 list
gives the whole caboodle I was expecting with a far smaller version number
for setuptools.


The content of the 3.6 site-packages directory.


My understanding is that the whole $PATH is searched in order to resolve an
import, but it isn't.


The OS searches the OS path, which you listed above.
Python searches its sys.path, which it creates when started.
Run >>> import sys; sys.path to see the contents.
Unless macOS is more different than I think, you should see a 3.7 
site-packages when running 3.7.



It might be relevant that I have had a bit of hassle installing module
updates in the past. I would get an error saying the module version being
replaced could not be deleted with permissions errors which I resolved with a
bit of sudo -H.

Python 3.6 is still working properly when invoked explicitly




--
Terry Jan Reedy

--
https://mail.python.org/mailman/listinfo/python-list


Re: overlooked patch?

2018-06-28 Thread Terry Reedy
Yep.  We do not have enough people reviewing patches.  Perhaps you could 
do so with this one.


On 6/28/2018 12:02 PM, Marco Prosperi wrote:

hello, just to give evidence that there is a bug in python 3.6/3.7 for
which there is a patch prepared a long time ago but probably it has never
been applied because the status/stage of the bug is 'needs patch'.


This is really a secondary issue but I changed it, and requested a review.


https://bugs.python.org/issue29097



--
Terry Jan Reedy

--
https://mail.python.org/mailman/listinfo/python-list


I lost nearly all my modules installing 3.7

2018-06-28 Thread Elliott Roper
I have done something stupid. Don't know what.

My $PATH looks like this
XXXMac:~ elliott$ echo $PATH
/Library/Frameworks/Python.framework/Versions/3.7/bin:/Library/Frameworks/Pyth
on.framework/Versions/3.6/bin:/Library/Frameworks/Python.framework/Versions/3.
5/bin:/Library/Frameworks/Python.framework/Versions/3.4/bin:/Users/elliott/bin
:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Library/TeX/texbin:/usr/local/MacGPG2/bin:/Applications/Wireshark.app/Contents/MacOS:/usr/local/git/bin

pip3 list or pip3.7 list gives me
Package Version
-- ---
pip 10.0.1
setuptools 39.0.1
> > > import numpy as np
Traceback (most recent call last):
File "", line 1, in 
ModuleNotFoundError: No module named 'numpy'
So it is not lying to me!!!

pip list or pip3.6 list
gives the whole caboodle I was expecting with a far smaller version number 
for setuptools.

My understanding is that the whole $PATH is searched in order to resolve an 
import, but it isn't.

It might be relevant that I have had a bit of hassle installing module 
updates in the past. I would get an error saying the module version being 
replaced could not be deleted with permissions errors which I resolved with a 
bit of sudo -H.

Python 3.6 is still working properly when invoked explicitly

-- 
To de-mung my e-mail address:- fsnospam$elliott$$ PGP Fingerprint: 1A96 3CF7 
637F 896B C810 E199 7E5C A9E4 8E59 E248

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ian Kelly
On Thu, Jun 28, 2018 at 4:38 AM Ben Finney  wrote:
>
> Ethan Furman  writes:
>
> > Consider the following Enum definition:
> >
> >   class Color(Enum):
> >   RED = 1
> >   GREEN = 2
> >   BLUE = 3
> >   @property
> >   def lower(self):
> >   return self.name.lower()
> >   def spam(self):
> >   return "I like %s eggs and spam!" % self.lower
> >   class SomeClass:
> >   pass
>
> That dumbfounds my intuitions.
>
> Specifically, I can't make sense of why someone would want to have a
> class that is simultaneously behaving as an enumerated type, *and* has
> an API of custom callable attributes.

You don't see value in enum members having properties?
-- 
https://mail.python.org/mailman/listinfo/python-list


overlooked patch?

2018-06-28 Thread Marco Prosperi
hello, just to give evidence that there is a bug in python 3.6/3.7 for
which there is a patch prepared a long time ago but probably it has never
been applied because the status/stage of the bug is 'needs patch'.

https://bugs.python.org/issue29097

Marco
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ethan Furman

On 06/28/2018 01:11 AM, Steven D'Aprano wrote:

On Wed, 27 Jun 2018 07:48:53 -0700, Ethan Furman wrote:


[Note:  there is a similar thread on Python-Ideas, if you would like to
respond there.]

Consider the following Enum definition:

class  Color(Enum):
RED = 1
GREEN = 2
BLUE = 3
@property
def lower(self):
return self.name.lower()
def spam(self):
return "I like %s eggs and spam!" % self.lower
class SomeClass:
pass

Which of the above Color attributes are enums, and which aren't?



(In hindsight perhaps you should have called the class EnumType so that
ambiguity would not exist. Then an enum would *always* refer to the
members Color.RED etc, and never to Color itself.)


The problem then is the ambiguity between EnumMeta and EnumType.  :/


Answer:

- RED, GREEN, and BLUE are members
- lower and spam() are not
- SomeClass /is/ a member (but not its instances)


Is that by accident or by design?


By design.  It is entirely possible to want an enum of types (int, float, str, 
etc.).



Question:

Should `SomeClass` be an enum member?  When would it be useful to
have an embedded class in an Enum be an enum member?


I honestly cannot think of any reason to nest a class inside of an Enum
class. But if I did, I would probably want it to be just a regular class,
and not an enum member.

If I wanted to nest an Enum class inside an Enum class (but why???) I'd
just inherit from Enum:

class Colour(Enum):
 class PrimaryColour(Enum):
 RED = 1
 GREEN = 2
 BLUE = 3
 OCTARINE = 8
 class SecondaryColour(Enum):
 PUCE = 101
 MAUVE = 102
 BEIGE = 103
 TEAL = 104


This really seems to be the sticking point -- what should an Enum of Enums look 
like?  For example, should the above do

  --> list(Colour)
  [Colour.PrimaryColour <...>, Colour.SecondaryColour <...>]

or something else?


The only example I have seen so far of nested classes in an Enum is when
folks want to make an Enum of Enums, and the nested Enum should not
itself be an enum member.  Since the counter-example already works I
haven't seen any requests for it.  ;)

So I'm asking the community:  What real-world examples can you offer for
either behavior?  Cases where nested classes should be enum members, and
cases where nested classes should not be members.


Is this a trick question?


Heh.  Not at all.  It is entirely possible to have a real use-case which we 
cannot model the way we want in code.

--
~Ethan~

--
https://mail.python.org/mailman/listinfo/python-list


[OT] Why are BBSes? [was Where's the junk coming from?]

2018-06-28 Thread Grant Edwards
On 2018-06-28, Kerr Avon  wrote:

> Yep confirming I found the issue lay with the sysop of a BBS that connects 
> to the gateway linked to news.bbs.nz

OK, I've got to ask...

Why are there still BBSes?

Who even has a modem these days?  [OK, I'll admit my 11 year old
Thinkpad T500 has a built-in POTS modem, but it's never been used.]

-- 
Grant Edwards   grant.b.edwardsYow! Vote for ME -- I'm
  at   well-tapered, half-cocked,
  gmail.comill-conceived and
   TAX-DEFERRED!

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Grant Edwards
On 2018-06-28, Steven D'Aprano  wrote:

> So why give them the ability to escalate their privilege to that of
> your application (which probably can do lots of things they can't
> do) by directly executing Python code they supply?

To be fair, that situation isn't common.  The vast majority of
applications run with the exact same set of privledges as the user who
invoked them.  At least that's the case on Linux/Unix. Perhaps Windows
apps are different and the usual case is for many applications to have
dangerous capabilities that an average user who's invoking them
shouldn't have.  That sounds stupid enough to be something that would
be normal for Windows.

I still maintain it's a bad idea to run arbitrary code found in
user-edited config files.

There may be cases where somebody has figured out how to muck with a
config file that's shared among multiple users, or has tricked
somebody into including something from an untrusted source in an
include file.

Or there could be users who don't know what they're doing and
unwittingly type something harmful into a config file:

  bad_command = os.system("rm -rf ~/*")

Yes, I know, users would never be that dumb...

-- 
Grant Edwards   grant.b.edwardsYow! Everybody gets free
  at   BORSCHT!
  gmail.com

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Something new which all programmers world wide will appreciate

2018-06-28 Thread Gene Heskett
On Thursday 28 June 2018 06:35:13 Alister via Python-list wrote:

> On Wed, 27 Jun 2018 14:30:15 -0700, Rob Gaddi wrote:
> > On 06/27/2018 02:14 PM, skybuck2...@hotmail.com wrote:
> >> Now I don't like the French much ! LOL.
> >>
> >> But this time they have invented something which will fill
> >> programmers with tears of joy ! =D
> >>
> >> http://www.euronews.com/2018/06/27/pizza-making-robot
> >>
> >> Hopefully this will lead to cheaper and delicious pizzas in the
> >> future ! ;) =D
> >>
> >> Bye,
> >>Skybuck.
> >
> > Or, you know, someone didn't bother putting limit checks in and a
> > time out of 20 the thing gets lost and starts putting the sauce
> > directly on the customer.
>
> as a diabetic the bread base puts them firmly on the bad list anyway
> :-(
>
+1 at least, from another DM-II.
>
> --
> "If it ain't broke, don't fix it."
> - Bert Lantz



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Error Launching python 3.7.0

2018-06-28 Thread Mark Lawrence

On 28/06/18 10:14, ojas gupta wrote:

  I just downloaded and installed python 3.7.0 on my PC and whenever I tried
to launch the application it showed "error" saying python runtime dll
missing... and that too is happening despite i downloaded the official
licenced product from python.org 

I am attaching a photo clicked by me when that error message displayed so
that you can have a better idea of my issue...

Thank you in advance...



The photo has been stripped as this is a text only list.  However I'll 
guess that this has been asked and answered repeatedly before, so see 
e.g. 
https://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/python-360-cant-start-because-api-ms-win-crt/a58999ec-a94e-44ad-8f92-8136ce98871b


--
My fellow Pythonistas, ask not what our language can do for you, ask
what you can do for our language.

Mark Lawrence

--
https://mail.python.org/mailman/listinfo/python-list


Error Launching python 3.7.0

2018-06-28 Thread ojas gupta
 I just downloaded and installed python 3.7.0 on my PC and whenever I tried
to launch the application it showed "error" saying python runtime dll
missing... and that too is happening despite i downloaded the official
licenced product from python.org 

I am attaching a photo clicked by me when that error message displayed so
that you can have a better idea of my issue...

Thank you in advance...
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: help install on Win 7

2018-06-28 Thread Rhodri James

On 28/06/18 02:23, Andrew von Bevern wrote:

I have tried to install python on my home laptop several times, using 3.6
or 3.7. Each time I get the following error - anyone know what I am doing
wrong?
[image: image.png]


I'm sorry, but this mailing list removes attachments (for perfectly 
sensible security reasons; also they tend to be annoyingly big).  Could 
you copy and paste (not just retype!) the full error, backtrace and 
everything as text?  I know it's a pain on Windows, but it's the only 
way any of us here are going to see it.  The more information you can 
include the better.


Cheers, 
Rhodri

--
Rhodri James *-* Kynesim Ltd
--
https://mail.python.org/mailman/listinfo/python-list


Re: Something new which all programmers world wide will appreciate

2018-06-28 Thread Alister via Python-list
On Wed, 27 Jun 2018 14:30:15 -0700, Rob Gaddi wrote:

> On 06/27/2018 02:14 PM, skybuck2...@hotmail.com wrote:
>> Now I don't like the French much ! LOL.
>> 
>> But this time they have invented something which will fill programmers
>> with tears of joy ! =D
>> 
>> http://www.euronews.com/2018/06/27/pizza-making-robot
>> 
>> Hopefully this will lead to cheaper and delicious pizzas in the future
>> ! ;) =D
>> 
>> Bye,
>>Skybuck.
>> 
>> 
> Or, you know, someone didn't bother putting limit checks in and a time
> out of 20 the thing gets lost and starts putting the sauce directly on
> the customer.

as a diabetic the bread base puts them firmly on the bad list anyway :-(



-- 
"If it ain't broke, don't fix it."
- Bert Lantz
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Ben Finney
Ethan Furman  writes:

> Consider the following Enum definition:
>
>   class Color(Enum):
>   RED = 1
>   GREEN = 2
>   BLUE = 3
>   @property
>   def lower(self):
>   return self.name.lower()
>   def spam(self):
>   return "I like %s eggs and spam!" % self.lower
>   class SomeClass:
>   pass

That dumbfounds my intuitions.

Specifically, I can't make sense of why someone would want to have a
class that is simultaneously behaving as an enumerated type, *and* has
an API of custom callable attributes.

> Question:
>
>   Should `SomeClass` be an enum member?  When would it be useful to
>   have an embedded class in an Enum be an enum member?

I can't think of a satisfactory answer to the question “Why is SomeClass
defined inside that enumerated type at all?”

> So I'm asking the community:  What real-world examples can you offer
> for either behavior?

That set is empty.

I'd be going straight to the author of that code; or, if that weren't an
option, re-factoring that code at the next opportunity.

-- 
 \ “Our urge to trust our senses overpowers what our measuring |
  `\ devices tell us about the actual nature of reality.” —Ann |
_o__)   Druyan, _Cosmos_, 2014 |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Where's the junk coming from?

2018-06-28 Thread Tim Golden

On 28/06/2018 09:05, Kerr Avon wrote:

On Wed, 27 Jun 2018 21:43:12 +1200, Avon wrote:


Hey Cameron,

Apologies for this. I have contacted the Fido system connected to the
gateway I run into news.bbs.nz and have asked them to urgently sort /
check what's up. If I don't get any joy from them within the next 24
hours I will delink them so as to negate further probs.

My hunch is a BBS (yes they still exist :)) is taking a gated feed of
this newsgroup and is linked to more than one gateway so stuff is
looping... not good.

Stand by caller... we're working on this now.

Best, Paul newsmaster [at] news dot bbs dot nz


Yep confirming I found the issue lay with the sysop of a BBS that connects
to the gateway linked to news.bbs.nz

I have delinked him while he addresses the issue (which he has found) and
we will leave him delinked for a few more days to be sure.

If anyone spots anything amiss that looks like it's coming in from
news.bbs.nz please feel free to contact me again and I'll get right on to
it.

Apologies for the hassles.

Best, Paul


(Wearing my List Moderator hat)

Thanks very much for addressing this for us, and to Cameron and others 
who did the detective work. I admit I assumed at first it was some kind 
of odd attack perhaps related to a dissatisfied poster so I'm glad it 
was a misconfiguration issue.


TJG

--
https://mail.python.org/mailman/listinfo/python-list


Re: Where's the junk coming from?

2018-06-28 Thread Kerr Avon
On Wed, 27 Jun 2018 21:43:12 +1200, Avon wrote:

> Hey Cameron,
> 
> Apologies for this. I have contacted the Fido system connected to the
> gateway I run into news.bbs.nz and have asked them to urgently sort /
> check what's up. If I don't get any joy from them within the next 24
> hours I will delink them so as to negate further probs.
> 
> My hunch is a BBS (yes they still exist :)) is taking a gated feed of
> this newsgroup and is linked to more than one gateway so stuff is
> looping... not good.
> 
> Stand by caller... we're working on this now.
> 
> Best, Paul newsmaster [at] news dot bbs dot nz

Yep confirming I found the issue lay with the sysop of a BBS that connects 
to the gateway linked to news.bbs.nz

I have delinked him while he addresses the issue (which he has found) and 
we will leave him delinked for a few more days to be sure.

If anyone spots anything amiss that looks like it's coming in from 
news.bbs.nz please feel free to contact me again and I'll get right on to 
it.

Apologies for the hassles.

Best, Paul



-- 
Agency News | news.bbs.nz
-- 
https://mail.python.org/mailman/listinfo/python-list


Re: Should nested classes in an Enum be Enum members?

2018-06-28 Thread Steven D'Aprano
On Wed, 27 Jun 2018 07:48:53 -0700, Ethan Furman wrote:

> [Note:  there is a similar thread on Python-Ideas, if you would like to
> respond there.]
> 
> Consider the following Enum definition:
> 
>class  Color(Enum):
>RED = 1
>GREEN = 2
>BLUE = 3
>@property
>def lower(self):
>return self.name.lower()
>def spam(self):
>return "I like %s eggs and spam!" % self.lower
>class SomeClass:
>pass
> 
> Which of the above Color attributes are enums, and which aren't?

The question is ambiguous in the case of SomeClass. It could mean that:

- SomeClass is the same kind of thing as Color (an Enum subclass);

- SomeClass is the same kind of thing as Color.RED (an enum member);

- or neither of the above.


(In hindsight perhaps you should have called the class EnumType so that 
ambiguity would not exist. Then an enum would *always* refer to the 
members Color.RED etc, and never to Color itself.)

Without trying it, or reading ahead, I would not want to guess which was 
the case.

[

s
p
o
i
l
e
r
 
s
p
a
c
e

]

> Answer:
> 
>- RED, GREEN, and BLUE are members
>- lower and spam() are not
>- SomeClass /is/ a member (but not its instances)

Is that by accident or by design?


> Question:
> 
>Should `SomeClass` be an enum member?  When would it be useful to
>have an embedded class in an Enum be an enum member?

I honestly cannot think of any reason to nest a class inside of an Enum 
class. But if I did, I would probably want it to be just a regular class, 
and not an enum member.

If I wanted to nest an Enum class inside an Enum class (but why???) I'd 
just inherit from Enum:

class Colour(Enum):
class PrimaryColour(Enum):
RED = 1
GREEN = 2
BLUE = 3
OCTARINE = 8
class SecondaryColour(Enum):
PUCE = 101
MAUVE = 102
BEIGE = 103
TEAL = 104


> The only example I have seen so far of nested classes in an Enum is when
> folks want to make an Enum of Enums, and the nested Enum should not
> itself be an enum member.  Since the counter-example already works I
> haven't seen any requests for it.  ;)
> 
> So I'm asking the community:  What real-world examples can you offer for
> either behavior?  Cases where nested classes should be enum members, and
> cases where nested classes should not be members.

Is this a trick question?

:-)





-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: configparser v/s file variables

2018-06-28 Thread Steven D'Aprano
On Wed, 27 Jun 2018 16:09:09 -0700, Jim Lee wrote:

> On 06/27/18 15:19, Steven D'Aprano wrote:
>> On Wed, 27 Jun 2018 12:15:23 -0700, Jim Lee wrote:
>>
>>>     It seems a bit silly to me to worry about arbitrary code
>>>     execution in
>>> an interpreted language like Python whose default runtime execution
>>> method is to parse the source code directly.  An attacker would be far
>>> more likely to simply modify the source to achieve his ends rather
>>> than try to inject a payload externally.
>> Spoken like a single user on a single-user machine who has
>> administrator privileges and can write to anything anywhere.
>>
>>
>>
> ...which is exactly the case I was trying to illustrate.  Another is the
> elevation of privileges (in a multi-user environment)  due to any of a
> number of methods.  The point is that the source code exists in the
> execution environment, and once one gains access to that code, one
> doesn't *need* anything else.

o_O

Yes, attacks by trusted insiders are the hardest to defend against. 
Betrayal of trust sucks. Trusted users with sufficient privileges could 
just modify the source code of your application or of Python itself. They 
could also attack your system in a thousand different ways.

But what about untrusted users with fewer privileges? They *can't* modify 
the source code of your application, or change the password on other 
accounts, or read arbitrary files, or masquerade as other users. Because 
they have unprivileged accounts.

So why give them the ability to escalate their privilege to that of your 
application (which probably can do lots of things they can't do) by 
directly executing Python code they supply?

Your argument is akin to:

"I gave my partner a key to my house, and they could rob me blind if they 
want. Since I trust them not to, there's no point in locking the door to 
the house when I go out, since they have a key."




-- 
Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson

-- 
https://mail.python.org/mailman/listinfo/python-list


Re: help install on Win 7

2018-06-28 Thread Abdur-Rahmaan Janhangeer
text-only list, can you please copy paste the error?

thank you,

Abdur-Rahmaan Janhangeer
https://github.com/Abdur-rahmaanJ


>
-- 
https://mail.python.org/mailman/listinfo/python-list


help install on Win 7

2018-06-28 Thread Andrew von Bevern
I have tried to install python on my home laptop several times, using 3.6
or 3.7. Each time I get the following error - anyone know what I am doing
wrong?
[image: image.png]
thanks in advance
Andrew
-- 
https://mail.python.org/mailman/listinfo/python-list