-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22.01.2009 10:38 Uhr, Chris Withers wrote:
> Stephan Richter wrote:
>> On Wednesday 21 January 2009, Andreas Jung wrote:
>>> - RestrictedPython security audit: such an audit has been made
>>>   by Stefan and Sidnei. I am not qualified to speak about the
>>>   correctness of the audit. I assume they know what they were
>>>   doing. Unless objections one might consider this issue as
>>>   resolved - if not, please speak up.
>>
>> Note that Jim never explained to me how he does these audits, but I
>> gathered some methods he used in conversations. I think I did a pretty
>> thorough job during the review.
> 
> Yeah, this disturbs me a lot still though :-S
> 
> It's a shame Jim has so little time to spend on this...

Take your hat and collect some money for hiring Jim :-)

> It's also a shame that no one seems to be able to get any sense out of
> the PyPy guys in this area...
> 
> One thing that myself and Shane talked briefly about on this list was
> re-implementing the AST manipulation as dissallow-by-default filter
> rather than a straight manipulation. That way, unexpected stuff should
> be allowed by default. That feels like it might be a lot safer when it
> comes to python version changes, but I must admit, I haven't looked
> closely enough to give a definitive answer...
>

You know the difference between fiction and the reality. We have RP
now and have to deal with it within a reasonable amount of time.

Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkl4Wp4ACgkQCJIWIbr9KYxNnwCeOcvTqwCPsoXvPFh6lJ03+un2
NaEAn2kU7climKJQXvnnmOhJPJ3ZVkhJ
=fUMO
-----END PGP SIGNATURE-----
begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to