[Python-Dev] Deprecate invalid ctypes call protection on Windows
One of the main reasons we are stuck with an old libffi fork in CPython is because the newer versions do not support protection from calling functions with too few/many arguments: https://docs.python.org/3/library/ctypes.html?highlight=ctypes#calling-functions There are a number of caveats here, including "this only works on Windows", but since it is documented we cannot just remove the behaviour without a deprecation period. I'd like to propose a highly-accelerated deprecation period for this specific feature, starting in CPython 3.6.2 and being "completed" in 3.7.0, when we will hopefully move onto a newer libffi. In general, the "feature" is a misfeature anyway, since calling a native function with incorrect arguments is unsupported and a very easy way to cause information leakage or code execution vulnerabilities. There may be an argument for removing the functionality immediately, but honestly I think changing libffi in a point release is higher risk. Once the special protection is removed, most of these cases will become OSError due to the general protection against segmentation faults. Some will undoubtedly fall through the cracks and crash the entire interpreter, but these are unavoidable (and really ought to crash to avoid potential exploits). Does anyone have any reasons to oppose this? It already has votes from another Windows expert and the 3.6/3.7 Release Manager, but we wanted to see if anyone has a concern we haven't thought of. Cheers, Steve ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Deprecate invalid ctypes call protection on Windows
Sounds good to me. On Mon, May 22, 2017 at 11:17 AM, Steve Dower wrote: > One of the main reasons we are stuck with an old libffi fork in CPython is > because the newer versions do not support protection from calling functions > with too few/many arguments: > > https://docs.python.org/3/library/ctypes.html?highlight=ctyp > es#calling-functions > > There are a number of caveats here, including "this only works on > Windows", but since it is documented we cannot just remove the behaviour > without a deprecation period. > > I'd like to propose a highly-accelerated deprecation period for this > specific feature, starting in CPython 3.6.2 and being "completed" in 3.7.0, > when we will hopefully move onto a newer libffi. > > In general, the "feature" is a misfeature anyway, since calling a native > function with incorrect arguments is unsupported and a very easy way to > cause information leakage or code execution vulnerabilities. There may be > an argument for removing the functionality immediately, but honestly I > think changing libffi in a point release is higher risk. > > Once the special protection is removed, most of these cases will become > OSError due to the general protection against segmentation faults. Some > will undoubtedly fall through the cracks and crash the entire interpreter, > but these are unavoidable (and really ought to crash to avoid potential > exploits). > > Does anyone have any reasons to oppose this? It already has votes from > another Windows expert and the 3.6/3.7 Release Manager, but we wanted to > see if anyone has a concern we haven't thought of. > > Cheers, > Steve > ___ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido% > 40python.org > -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Deprecate invalid ctypes call protection on Windows
On 22 May 2017 at 19:17, Steve Dower wrote: > One of the main reasons we are stuck with an old libffi fork in CPython is > because the newer versions do not support protection from calling functions > with too few/many arguments: > > https://docs.python.org/3/library/ctypes.html?highlight=ctypes#calling-functions > > There are a number of caveats here, including "this only works on Windows", > but since it is documented we cannot just remove the behaviour without a > deprecation period. > > I'd like to propose a highly-accelerated deprecation period for this > specific feature, starting in CPython 3.6.2 and being "completed" in 3.7.0, > when we will hopefully move onto a newer libffi. > > In general, the "feature" is a misfeature anyway, since calling a native > function with incorrect arguments is unsupported and a very easy way to > cause information leakage or code execution vulnerabilities. There may be an > argument for removing the functionality immediately, but honestly I think > changing libffi in a point release is higher risk. > > Once the special protection is removed, most of these cases will become > OSError due to the general protection against segmentation faults. Some will > undoubtedly fall through the cracks and crash the entire interpreter, but > these are unavoidable (and really ought to crash to avoid potential > exploits). > > Does anyone have any reasons to oppose this? It already has votes from > another Windows expert and the 3.6/3.7 Release Manager, but we wanted to see > if anyone has a concern we haven't thought of. +1 from me. Paul ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Outdated GitHub clone of the old svn repository
This story has a happy ending. I sent a request to GitHub user support, who forwarded a message from me to the owner of the repo, who responded with apologies and then deleted the repo! Click for yourself: https://github.com/python-git/python/ is now a 404. Yay! On Fri, May 5, 2017 at 3:23 PM, Guido van Rossum wrote: > OK I'll contact GitHub. > > On Fri, May 5, 2017 at 10:01 AM, Guido van Rossum > wrote: > >> Let's coordinate who contacts GitHub. Victor, Brett or myself? >> >> On Fri, May 5, 2017 at 9:52 AM, Brett Cannon wrote: >> >>> >>> >>> On Fri, 5 May 2017 at 09:50 Victor Stinner >>> wrote: >>> 2017-05-05 18:36 GMT+02:00 Jonathan Goble : > It appears to me to be an individual user rather than an organization. Oh nice, glad to meet you :-) So what do you think? Are you ok to remove this old clone? Or do you have reasons to keep it? >>> >>> I don't think Jonathan was claiming ownership of the python-git account, >>> just pointed out the account is a personal account of somebody's and not an >>> organization account. >>> >>> ___ >>> Python-Dev mailing list >>> Python-Dev@python.org >>> https://mail.python.org/mailman/listinfo/python-dev >>> Unsubscribe: https://mail.python.org/mailma >>> n/options/python-dev/guido%40python.org >>> >>> >> >> >> -- >> --Guido van Rossum (python.org/~guido) >> > > > > -- > --Guido van Rossum (python.org/~guido) > -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Outdated GitHub clone of the old svn repository
Thank you Guido for taking take of that. So I fon't have to ask the same question over again (since I always forget what I did yesterday :-)). Happy hacking at the CPython sprint now on GitHub!!! Victor Le 22 mai 2017 2:48 PM, "Guido van Rossum" a écrit : > This story has a happy ending. I sent a request to GitHub user support, > who forwarded a message from me to the owner of the repo, who responded > with apologies and then deleted the repo! Click for yourself: > https://github.com/python-git/python/ is now a 404. Yay! > > On Fri, May 5, 2017 at 3:23 PM, Guido van Rossum wrote: > >> OK I'll contact GitHub. >> >> On Fri, May 5, 2017 at 10:01 AM, Guido van Rossum >> wrote: >> >>> Let's coordinate who contacts GitHub. Victor, Brett or myself? >>> >>> On Fri, May 5, 2017 at 9:52 AM, Brett Cannon wrote: >>> On Fri, 5 May 2017 at 09:50 Victor Stinner wrote: > 2017-05-05 18:36 GMT+02:00 Jonathan Goble : > > It appears to me to be an individual user rather than an > organization. > > Oh nice, glad to meet you :-) So what do you think? Are you ok to > remove this old clone? Or do you have reasons to keep it? > I don't think Jonathan was claiming ownership of the python-git account, just pointed out the account is a personal account of somebody's and not an organization account. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailma n/options/python-dev/guido%40python.org >>> >>> >>> -- >>> --Guido van Rossum (python.org/~guido) >>> >> >> >> >> -- >> --Guido van Rossum (python.org/~guido) >> > > > > -- > --Guido van Rossum (python.org/~guido) > ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Snap Python for simple distribution across multiple Linux distros
On Tue, 16 May 2017 at 08:08 Martin Wimpress wrote: > Hi all, > > I work at Canonical as part of the engineering team developing Ubuntu > and Snapcraft [1] and I'm a long time Python fan :-) > > We've created snaps, a platform that enables projects to directly > control delivery of software updates to users. This video of a > lightning talk by dlang developers at DConf2017 [2] shows how they've > made good use of snaps to distribute their compiler. They found the > release channels particularly useful so their users can track a > specific release. > > Is there someone here who'd be interested in doing the same for Python? > > So the problem with adding Snap is it's yet one more thing for us to create at release time. And if we do this for Snap are there competitors from e.g. Fedora that people would want supported? -Brett > [1] https://snapcraft.io/ > [2] https://www.youtube.com/watch?v=M-bDzr4gYUU > [3] https://snapcraft.io/docs/core/install > [4] https://build.snapcraft.io/ > > -- > Regards, Martin. > ___ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/brett%40python.org > ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Python is Bae
Dear Python, My name is Victor Mshindi and I am a student at United States International University - Africa(USIU - Africa) studying Information Systems Technology and also a member of the growing tech community. I've been working with python for 2 years now, currently using it for machine learning and web development(Django) and would like to first say thank you for this amazing language and the community you've built. At USIU we realized there is an increasing number of tech students who aren't self learning and depending on classes only, we also noticed that the community was becoming exclusive for top developers and not passing knowledge to new students. As a result we decide to start a python class to help beginners and then a django class to help them transition and become really good developers. We also hope to grow the python sub community and one day hold our very own Nairobi Pycon giving python developers a chance to learn and interact with members form around Kenya , outside Kenya and hopefully some core python members. In order to improve the quality of the class we would need to provide attendees branded merchandise, snacks & lunch and hopefully a Skype session with one of the core members. This will help excite them and welcome them in the best way possible to the python community. Therefore I would like to request for support from the foundation by providing a Skype session, Branded merchandise and if possible financial support to buy lunch & snacks. Regards, Victor Mshindi United States International University - Africa Student and IT Club President, Django Full stack Developer, +254-712-619-612 Email Hygiene scanner powered by Forefront Online Protection for Exchange. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Snap Python for simple distribution across multiple Linux distros
On Tue, May 16, 2017 at 11:31:42AM +0100, Martin Wimpress wrote: > Is there someone here who'd be interested in doing the same for Python? Do snaps support Windows and/or MacOS? m -- Matt Billenstein m...@vazor.com http://www.vazor.com/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
