launchpad-dev team mailing list archive

[Michael Hudson <michael.hudson@xxxxxxxxxxxxx>]

Michael Hudson wrote:
> Gary Poster wrote:
>> Hi all.
>>
>> Many moons ago, during a review, Barry and I talked about the way we do
>> security in our view code.  I felt that neither the purpose nor the
>> rules for our security story were crystal clear.  This led to a
>> discussion in the reviewers meeting, and an action item for me to bring
>> up the discussion with the whole team.
>>
>> It's been so long that I strongly suspect I will miss some important
>> parts of the previous discussions, for which I apologize in advance. 
>> Hopefully others will be willing to repeat their past corrections and
>> additions of what I write.
>>
>> So here's my understanding of where we are.  Please correct and comment!
> 
> It looks pretty accurate to me.
> 
>> - An import fascist controls what can be imported.  You may only import
>> code in a module's __all__.  This actually affects all code, not just
>> view code.
> 
> I do wonder what the import fascist buys us these days.
> 
> It used to, at least, prevent one from importing database code into
> non-database code, which would have been another way to punch through
> our security, and indeed I thought that was more of the point than the
> __all__ business.  It doesn't look like this got updated to prevent
> lp.foo.browser.bar importing from lp.baz.model.quux though, and I don't
> think we've missed it.

That said, the use of the naked SourcePackage class at
branchlisting.py:1663 is at least a bit dodgy.  Maybe we should update
the facist...

Cheers,
mwh