[Paul Moore] > Um. While I understand the issue involved, I find it hard to be quite > as convinced as this, that the issue is a bug. User perceptions aren't technical issues, so whether it's "a bug" doesn't really matter -- Python wants to be friendly to newbies, and even in areas their OS is hostile. > First of all, I would say that on a correctly functioning machine, > applications should be able to listen on, and send to, unprivileged > (> 1024) ports on the local machine (127.0.0.1). > > In that case, I don't see a bug in Python, or in IDLE. There may be > "bugs" in certain systems, whereby such ports are not available, but > that isn't Python's fault. Python has a long tradition of accepting the blame for system bugs it can reasonably hide. > In thinking about this, however, there *is* one major point which I > think needs to be considered. As I understand the issue, IDLE runs as > 2 processes which talk via a socket. I assume that it is not possible > for this socket to be used by anything *other* than IDLE - in > particular, random hackers can't use the open socket as a means of > exploit? Such a security hole would, indeed, be a major bug which > needs to be addressed. I don't know the answer, and agree it should be taken seriously. For example, a port that accepts arbitrary Python code and executes it is as dangerous as anything I can imagine. But I haven't studied the new IDLE code, and don't know what the risks are. > Assuming no such security hole, what remains is an education issue. > This is exacerbated by the tendency of some "personal firewall" > products to ask the user for his/her opinion on all sorts of otherwise > innocent network traffic - often the user has no way of giving an > informed opinion, and the question does nothing but foster paranoia. That's the life goal of "security geeks" <wink>. > Sure, the fact that people might ask "why is Python talking to the > internet?" is worrying. But surely the correct answer is to say > firmly, but in the politest possible way, "it's not - whatever gave > you the impression that it is, is mistaken". > > Explanatory dialogs might help for some people, but you risk hitting > the other problem, of annoying people who *do* understand what's going > on by looking patronising. I didn't understand why IDLE was "accessing the Internet" the first time I tried it, and I'll immodestly claim that I'm more computer-savvy than a solid 13.7% of Python's Windows users <wink>. I expect a one-time warning would only irritate those who love to be irritated, and there's no pleasing the unpleasable.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4