Troubadour I was posting this to get your thoughts on these two ways to further improve security of Python scripts.
PyPy:
I was looking for a secure sandboxing mechanism for Python and I found PyPy.
They are an implementation of the entire Python interpreter except they have designed their version to handle untrusted code safely.
No functionality is removed when compared to standard Python.
They have packages in Debian Jessie.
Obviously not all Python modules have been implemented using RPython or PyPy but they should be compatible. I don’t understand if the normal modules, in standard Python could also take advantage of the hardened PyPy interpreter. Would like a word on that if you understand more about it.
References:
[1] The failure of pysandbox [LWN.net]
(Where I got the idea. Note that PyPy was recommended as an alternative by the author of a failed approach called pysandbox - which he confessed as having restricted too much functionality but its sandbox still leaky. That was because he tried to implement the sandbox inside the interpreter itself rather than from the outside).
[2] http://pypy.org/ (PyPy’s many virtues)
[3] PyPy - Features | PyPy
[4] Debian -- Package Search Results -- pypy
[5] Debian -- Error
[6] Debian -- Error
[7] Python compatibility | PyPy (notes on compatibility with standard Python modules)
Edit by Patrick:
edited title
Edit by HulaHoop:
split topics