On Sun, Mar 19, 2017 at 8:58 AM, Ian Pilcher <arequip...@gmail.com> wrote: > Yet another newbie question/observation ... > > So every example I can find of using python-cryptography includes a > call to cryptography.hazmat.backends.default_backend(). Of course, the > documentation at https://cryptography.io/en/latest/hazmat/backends/ > says: > > ! Danger > > This is a “Hazardous Materials” module. You should ONLY use it if > you’re 100% absolutely sure that you know what you’re doing because > this module is full of land mines, dragons, and dinosaurs with laser > guns. > > Anyone else see a conflict here?
Not necessarily. I don't know about that exact example, but let me give you a couple of others. 1) exec and eval. Very dangerous. Do not use them in production code unless you know what you're doing. Where do you find exec used? In namedtuple. Yep. Every time you create a namedtuple, it exec's a big block of code with interpolated bits to make your stuff happen. Is namedtuple dangerous because it uses exec? No, because namedtuple has been well-written and is maintained with care. 2) cffi, ctypes, extension libraries, etc - untrusted access to C code. Incredibly dangerous, because you can mess up refcounts in CPython, your code can't be ported to other Pythons without a lot of care, and you can break things in ways you wouldn't even have thought possible (try redefining the value of the integer 1 - Python gets confused in a very short space of time). Where are they used? All over the place. All over the place. Poke around on PyPI and you'll find a ton of great modules that are written in C (and not using Cython), and the Python community hasn't collapsed under their collective fragility yet. Are they dangerous? Well, yes, in the sense that certain types of bugs can segfault the interpreter rather than raising an exception - but your code isn't more dangerous because you type "import psycopg2". So the question is: How well do you trust the examples? Are they likely to be instructing you in a safe way to use this potentially-dangerous module? ChrisA -- https://mail.python.org/mailman/listinfo/python-list
