Ron Johnson <ron.l.johnson@cox.net> writes:
> On Thu, 2003-06-26 at 11:59, Tom Lane wrote:
>> DeJuan Jackson <djackson@speedfc.com> writes:
>> > Just wondering (I don't use or intend to use plpython), but why does it
>> > need to be marked untrusted is the rexec code has been corrected.
>>
>> Now that the rexec code is gone, it MUST be marked untrusted ---
>> this is not a question for debate. Installing it as trusted would
>> be a security hole.
>
> In what version is rexec removed? v2.3? If so, then there are many
> people with Python 2.2 and even 2.1 who could still use trusted
> PlPython.
The problem, as I understand it, is that the reason that rexec was
removed was that Guido (and others) were convinced that it wasn't
really safe in the first place. Removing rexec was something along
the lines of "truth in advertising." The Python folks realized that
rexec wasn't really safe, and they weren't particularly interested in
expending the time and effort to make it safe, so they removed rexec
entirely.
They could have left it in and simply patched over any problems that
were reported and then pretended that Python was actually secure in
this manner, but they didn't want to be compared to MySQL's crash-me
script.* Leaving broken and dangerous bits in Python simply because
it would be a marketing bonus was not something the Python folks
wanted to do.
* [OK, I am making up the bit about the crash-me script, but you get
the idea.]
In short, rexec wasn't really safe in the first place. It just made
people feel better.
Jason
