launchpad-dev team mailing list archive

[Michael Hudson <michael.hudson@xxxxxxxxxxxxx>]

Gary Poster wrote:
> Hi all.
> 
> Many moons ago, during a review, Barry and I talked about the way we do
> security in our view code.  I felt that neither the purpose nor the
> rules for our security story were crystal clear.  This led to a
> discussion in the reviewers meeting, and an action item for me to bring
> up the discussion with the whole team.
> 
> It's been so long that I strongly suspect I will miss some important
> parts of the previous discussions, for which I apologize in advance. 
> Hopefully others will be willing to repeat their past corrections and
> additions of what I write.
> 
> So here's my understanding of where we are.  Please correct and comment!

It looks pretty accurate to me.

> - An import fascist controls what can be imported.  You may only import
> code in a module's __all__.  This actually affects all code, not just
> view code.

I do wonder what the import fascist buys us these days.

It used to, at least, prevent one from importing database code into
non-database code, which would have been another way to punch through
our security, and indeed I thought that was more of the point than the
__all__ business.  It doesn't look like this got updated to prevent
lp.foo.browser.bar importing from lp.baz.model.quux though, and I don't
think we've missed it.

Cheers,
mwh