Re: PlPython

Hannu Krosing wrote:
> could we not just make sure that plpython uses python ver < 2.x and use
> plpythonu for python versions >= 2.x until a secure regex solution comes
> from Guido and folks ?
> 
> I guess most plpython users would be much happier with plpython with
> some minor limitations due to older version than with being forced to
> use an untrusted pl altogether.

But if rexec isn't safe they're just fooling themselves. There's only 
two kinds of safety for restricted environments: absolute and not. 
That's why the Python developers were honest and disabled rexec for now.

If you want to fool yourself, that's easy enough: ship a modified 
rexec.py with the 'raise RuntimeError, "This code is not secure ..."' 
removed ;-)

> IIRC python 1.5.2 has a perfectly good RExec.

You are likely mistaken. Because I was interested in getting this 
problem solved for plpython and because most rexec problems are because 
of the new-style classes in Python 2.2 and later, I asked on 
comp.lang.python wether it was safe with 2.1 and earlier.

Martin von Löwis told me it probably wasn't in 
http://groups.google.com/groups?selm=m3y8ztib79.fsf%40mira.informatik.hu-berlin.de

> Or is there a requirement that only latest language versions are used in
> pg 74 ;)

No, but I find it hard to believe that PL/python is used by untrusted 
users at all, so making it untrusted might not really be a problem in 
real life.

-- Gerhard

PS: Thanks Kevin for submitting the PL/Python patch. I intended to make 
it available at least as an untrusted language, but you beat me :)