Perl, python, security and vision

A friend has pointed me today towards a very cool project named logix. In short, it is a programming language with extensible syntax and macros. Ideal for defining domain-specific languages. I was awed when I saw what it is. It strongly reminds me of the power of LISP macros. And I didn't even look into much detail. Currently, they have python as their back-end but they are considering to switch in the long-term. A quote from their "Future Work" section: "Efficiency and security are two areas that are somewhat lacking with a Python foundation." I think that, in the end, they will make a better Python than Python :)

These people seem to have a *vision* of what they want to achieve. The perl folks also have their vision: the Perl6 language and the Parrot VM. I feel that the Python world is lacking its vision. Ok, there is "Python 3000", but unlike Perl, or Logix, it is vapourware, and AFAIK, not a line of code has been written. To build on the Python community's "batteries included" metaphore: putting a more powerful engine and more batteries in the car will make it go faster, but it won't make it *fly*.

They are also pretty conservative with the language, and this shows, for example, in their *disinterest* for the maintenace of the restricted execution module. Which brings me back to Perl: Ben Laurie wanted to implement capabilities in the Python language to provide fine-grained control over execution of the untrusted code. He says that the python community was not interested, so he implemented it for perl, thus resulting in CaPerl. Python doesn't even implement something akin to Perl's *tainting*.

Today, engineers and programmers are slowly becoming aware of ever-increasing security issues. Slowly, they are realizing that security has to be *built-in* the system, and not an add-on. It has to be *pervasive* and the best place to make it pervasive is *the runtime system itself*. I believe that today with, without such security features, it is hard to take an interpreted/VM language in serious consideration for coding Internet applications. I believe that this disinterest in security will harm Python (and other such languages!) in the long run, at least for Internet applications. One of the major advantage of executing the code in VM is easy restriction on what the code is or is not allowed to do. And python folks willfuly do not exploit this advantage. And they have much to learn, for example from Java. I don't like Java for many things, but I have to admit that it has well-engineered restricted execution model.

Another good idea that for some reason never caught on in the python world is the Stackless Python. Despite its obvious advantages, they went for the much weaker alternative in the form of generators.

Conclusion? Python reminds me of Latin. Nice, well-structured language with fast syntax and rules (also with few ugly exceptions!), unambiguous and expressive.. and too slowly changing to meet modern demands. Today, Latin is effectively a dead language, save for few niche areas (the catholic church). Will Python live to the same fate? Maybe IronPython, now backed by Microsoft, will introduce some innovation in the Python world.

Tags: perl python security