Plurrrr

I’ve been using Go for a few years now, mostly in my open source project Lazygit. In my day job I use Ruby and Typescript, and I’ve also spent some time with Rust. Each of those languages have design quirks that can grind a developer’s gears, and although my own precious gears have been ground by every language I’ve used, Go is the only language that has made me feel indignant.

Years ago, OpenBSD gained two new security system calls, pledge(2) (originally tame(2)) and unveil. In both, an application surrenders capabilities at run-time. The idea is to perform initialization like usual, then drop capabilities before handling untrusted input, limiting unwanted side effects. This feature is applicable even where type safety isn’t an issue, such as Python, where a program might still get tricked into accessing sensitive files or making network connections when it shouldn’t. So how can a Python program access these system calls?

In this post, I want to look at the biggest strengths and weaknesses of Python, with more emphasis on the weaknesses, just because these problems have been there for years now and some of the rough edges bleed a lot.

When I decided the next post in my series on Python's syntactic sugar would be on async for, I figured it would be straightforward. I have already done for loops, so I have something to build off of. The language reference also specifies the pseudo-code for async for, so I really didn't have to think too much about what the unravelled form should be.

But then I decided I would break with my practice of using Python 3.8 as the reference version of Python I work from and instead pull from Python 3.10 due to two additions in that version: aiter() and anext(). That decision turned out to complicate my life a bit. 😉