Does Python really follow its philosophy of "Readability counts"?

[Luis Zarrabeitia]

Whaat? Assuming a program is perfect unless a failure is proven
is not at all a sane approach to getting reliable software. It is
the person claiming perfection who has to prove the absence of failure.

No, no. I meant that if pylint works as its specification says it would.

Russ says (or seems to say, I don't know, I'm confused already) that it is not
good enough, that what pylint says it does is not what he wants (otherwise,
this subthread would have died a long time ago). So, assuming that pylint
works as specified (its up to "you" to find out if it doesn't and file
bugreports about it, just like you would do if you find out that the
static-checker for your enforced-static-checks-language is buggy), what
would be the difference between only accepting/running "pylint-authorized
code" and the enforced hiding you desire?

Sorry, I didn't realize that perfect was a too strong word for that. "I speaks
english bad"

Cya!

 

[Bruno Desthuilliers]

Paul Rubin a écrit :

Take some not-that-trivial projects like Zope/Plone. There are quite a
few lines of code involved, and quite a lot of programmers worked on it.

Zope is about 375 KLOC[1],

I was thinking about Zope2 + Plone, but anyway...

which I agree is not trivial, but by
today's standards, it's not all that large.

How many LOCS would it require if it was written in ADA ?

Zope also has 275 open
bugs, 6 of which are critical.

None of which are going to *kill* anyone FWIW. Now how many of these
bugs would have language-enforced access restriction prevented ?

[2] The Space Shuttle avionics (written
in the 1980's!) are 2 MLOC

of a hi-level dynamic language ? Hm, I guess not.

in which only 3 errors have been found
post-release.[3] I think "large software system" today means 100's of
MLOC.

Given the difference in LOCS count between a low-level static language
and a hi-level dynamic language for the implementation of a same given
features set, you cannot just define "large" by the # of LOCS. Not that
I'm going to compare Zope with Space shuttle's stuff.

FWIW, Zope has 20x as much code as Django--is that a good
thing!?

IMHO, definitively not - and I indeed prefer Django as far as I'm
concerned. But this is another debate (or is it not ?...)

 

[Russ P.]

No, no. I meant that if pylint works as its specification says it would.

Russ says (or seems to say, I don't know, I'm confused already) that it is not
good enough, that what pylint says it does is not what he wants (otherwise,
this subthread would have died a long time ago). So, assuming that pylint
works as specified (its up to "you" to find out if it doesn't and file
bugreports about it, just like you would do if you find out that the
static-checker for your enforced-static-checks-language is buggy), what
would be the difference between only accepting/running "pylint-authorized
code" and the enforced hiding you desire?

Sorry, I didn't realize that perfect was a too strong word for that. "I speaks
english bad"

Cya!

Hey, if pylint can reliably detect private data access violations,
that's good news to me. I haven't used it, so I don't know. (I used
pychecker a while back, but I haven't used that for a while either.)

If pylint can check access violations, then it seems to me that
someone (who is familiar with the internals of the Python interpreter)
should be able to integrate that feature into Python itself relatively
easily.

Actually, in addition to the enforcement of "private," you also need
the enforcement of "protected." If you only enforce "private," derived
classes will not have access to data they need. And if you don't
enforce "protected," then anyone can trivially gain access to private
data by simply deriving a new class. It would be like having a lock on
the door with the key hanging right there on a string.

I realize that this complicates matters. As I said before, I am not
claiming that Python should necessarily get enforced data hiding. All
I am saying is that, if it doesn't get it, it will never be
appropriate for certain domains. But maybe nobody cares about that
except me.

The other problem with the pylint approach is aesthetic: the
requirement for a leading underscore to indicate private data. I
realize that some actually like that convention, but I don't. I spend
most of my development time working with "private" data, and why
should I have to look at that litter everywhere? I use Python in part
because I want clean looking code, and leading underscores bother me
-- just as the leading dollar signs in Perl bother many Python
programmers.

 

[Rhamphoryncus]

that's good news to me. I haven't used it, so I don't know. (I used
pychecker a while back, but I haven't used that for a while either.)

If pylint can check access violations, then it seems to me that
someone (who is familiar with the internals of the Python interpreter)
should be able to integrate that feature into Python itself relatively
easily.

Actually, in addition to the enforcement of "private," you also need
the enforcement of "protected." If you only enforce "private," derived
classes will not have access to data they need. And if you don't
enforce "protected," then anyone can trivially gain access to private
data by simply deriving a new class. It would be like having a lock on
the door with the key hanging right there on a string.

I realize that this complicates matters. As I said before, I am not
claiming that Python should necessarily get enforced data hiding. All
I am saying is that, if it doesn't get it, it will never be
appropriate for certain domains. But maybe nobody cares about that
except me.

If pylint had "private" it should behave like "protected". Basic
encapsulation is about good style (separation of concerns), not
security, and subclassing is a clear statement that this concern is
closely related.

Of course if you accept that the extremism of security is a separate
issue then you have the question of how much is necessary to encourage
separation of concerns, and and what should be available to work
around it...

The other problem with the pylint approach is aesthetic: the
requirement for a leading underscore to indicate private data. I
realize that some actually like that convention, but I don't. I spend
most of my development time working with "private" data, and why
should I have to look at that litter everywhere? I use Python in part
because I want clean looking code, and leading underscores bother me
-- just as the leading dollar signs in Perl bother many Python
programmers.

There needs to be *some* indicator that separates a public property
from a private one. What would you suggest?

 

[Mark Wooding]

Actually, in addition to the enforcement of "private," you also need
the enforcement of "protected."

Oh, heavens. If you want C++ or any of its progeny, you know where to
find them. Besides, those languages have a horrific design mistake
because they conflate the class system (which manages the units of
behaviour) with the module system (which deals with the units of
implementation).

It's precisely because Python's boundaries are fairly porous that it
doesn't fall into this trap. (There's the small matter of sharing the
class and instance attribute namespaces, but a little bit of care seems
to work out OK.)

Even so, why do you think you are that you know better than the next
programmer -- whoever he might be -- which parts of your class he should
mess with? You can make suggestions, recommendations, in your
documentation: provide the raw materials so that he can make informed
decisions about whether he wants to mess with your class's internals.
But the `here's a black box: there isn't and never will be any
justifiable reason why you might want to poke about inside'
control-freakery of people who like this sort of thing just rubs me up
the wrong way.

Yes, I know that some people have to work with drooling idiots who don't
know a stable interface from volatile implementation details or
documented behaviour from a bug that'll be fixed in the next version.
Python just isn't the right language for those people. They can use
Java or something -- hey, it's presumably good for something, maybe it's
this -- but those who know better don't deserve to be penalized for
their sake.

-- [mdw]

 

[Russ P.]

Rather than waste more time replying to your post, Let me just refer
you to an excellent post that you may have missed earlier in this
thread by Mr. D'Aprano:

http://groups.google.com/group/comp.lang.python/msg/d684d43b64a6e35a

 

[Mark Wooding]

The consequence of this dynamism is that the Python VM can't do many
optimizations at all, because *at any time* somebody might mess with the
implementation. But 90% of the time nobody does, so Python is needlessly
slow 90% of the time. Wouldn't it be nice if there was a way to speed up
that 90% of the time while still allowing the 10% to take place?

There is. Compile, optimizing aggressively under the assumption that
everything will be as you expect. Keep a note somewhere of the
assumptions you made. If something violates those assumptions, fall
back to a slow version -- or, for bonus points, recompile based on the
changed assumptions.

CLOS is much more complex and dynamic than Python's object system; but
it can be compiled very aggressively.

The current solution to this problem is to try to push as much as
possible into functions written in C: built-ins and custom C
extensions. It's not a bad solution: most Python programs rely on
many C built-ins, which enforces real encapsulation and data
hiding. With the possible exception of mucking about with ctypes, you
simply can't access mess with the internals of (say) lists *at
all*. Is this a bad thing?

Would it be so terrible if we could do the same thing in pure Python?
Why should I have to write in C if I want the same protection?

S'funny. I always considered the lack of transparency in C extensions
to be a downside, and a reason to write as much as possible in proper,
honest, transparent, dynamic, mess-about-with-able Python.

Because nobody can agree what the standards and policy ought to be.

In Unix, file names with a leading dot are hidden in the shell:

Bzzt. They're silently not displayed by various things, including the
shell's globber, and ls(1).

when you do a file listing, you don't see them. It's not difficult to
get to see them: you just pass -a to the ls command.

See? That's ls(1). Not the shell. You did know what you were talking
about.

As data hiding goes, it's pretty lame,

It's not data hiding, though. It's just not cluttering the view with
stuff you probably didn't care about. I'm grateful that I don't have to
think about dotfiles unless I really want to -- but I'm also very
grateful that I /can/ mess with them when I do want to.

but Python doesn't even suppress _ names when you call dir. Frankly,
I wish that by default it would -- 99% of the time when I call dir, I
*don't* want to see _ names. They just get in the way.

That might be plausible.

No it's not. It's *practical*. There are domains where *by law* code
needs to meet all sorts of strict standards to prove safety and
security, and Python *simply cannot meet those standards*.

Codswallop. One can prove stuff about Python programs using the same
techniques as one uses for any other language. I've done it. Other
languages have better automated tools, it's true -- but the techniques
are basically the same.

No technology is failure proof. But there's no reason in the world why
most technology can't be idiot-proof. Televisions are idiot-proof,
because they protect people from casual mistakes. If televisions were
built according to the Python model, the internals of the TV would be
exposed, without even a cover. All the major parts would be plug-in
rather than soldered in, and there would be no cover over the parts that
were live. Every year, tens of thousands of people would electrocute
themselves fatally (because parts of the TV holds a massive charge for
days after you unplug them from the mains) but that would be okay,
because you never know when somebody might want to pull out the fly-back
transformer and replace it with a six ohm resistor. That sort of dynamism
is important!

Very amusing; but a poor analogy. The Python television comes in a
clear Perspex box, which you can undo, should you need to, without any
tools. But it holds together well even so. (Real PC cases are
sometimes like this.) The parts are plug-in, yes; but dangerous stuff
you probably don't want to mess with is covered by a plastic shield with
a note on it saying `dangerous stuff in here: if you kill yourself
messing with it, it's not my fault'. The plastic shields don't fall off
of their own accord, but you can remove them without much difficulty
should you be so inclined.

Again, we shouldn't enforce encapsulation and data hiding because there
are legitimate reasons for breaking it, but anyone who does break it is a
cretin. You have a very strange attitude.

I suppose it depends on the circumstances. I must have missed the
earlier details, but there's not enough in the stuff above to prove a
charge of cretinhood. I didn't see any ill-effects noted, for a start.

It's also bad for moral when you fire somebody for messing with the
internals when you have a policy that it is allowed to mess with the
internals. That's why you picked a dynamic language like Python in the
first place, because it doesn't prevent you from messing with the
internals. And now when somebody does, you sack him?

If he did it unilaterally, without consulting other people or mentioning
the risks, then that's irresponsible. If there was proper consultation
and the decision was made for good -- and agreed -- reasons, then, well,
it's a thing to keep in mind for later. May still be a net win. Hard
to say.

Python can be a sharp tool. Keeping sharp tools away from those who may
injure themselves and others is a good idea. That doesn't mean that we
shouldn't have sharp tools. It's hard to cut meat with a tenderizer.

Perhaps it would have been better to prevent him from messing with the
internals in the first place, even at some extra cost. When you're in
business, you have to make decisions like:

* do I write the software in Python, which will have a 99% chance of
costing $100,000 and a 1% chance of costing $100,000,000?

* or do I write it in a B&D language like Java, which will have a 100%
chance of costing $2,000,000?

Easy. 1,099,000 < 2,000,000, so stick with Python.

(In real life, we don't know the probabilities in advance, so the
question is trickier.)

I don't know if this scenario is even possible in Python, but pretend
that it is. Would it be so terrible?

I could probably live with it. It seems like a step back towards
Blub[1] to me, though. The Blub programmers already have Blub. Lock
the knives in the cupboard because the village idiot sometimes cuts
himself.

[1] http://www.paulgraham.com/avg.html

-- [mdw]

 

[Mark Wooding]

Rather than waste more time replying to your post, Let me just refer
you to an excellent post that you may have missed earlier in this
thread by Mr. D'Aprano:

I've responded to that now. (Steven and I can't even agree on a
description for simple parts of Python semantics: why should we agree on
this?)

But I note that you've cunningly avoided responding to my remark that
it's a mistake to conflate the module and class systems. (I think only
Common Lisp gets this right, because it can use its package system to
manage the names of class and instance slots and generic functions.)

Besides, it's not just classes that have internal parts. Python is not
Java: not all functionality is in classes. The proposals I've seen do
nothing for internal variables or functions at module level.

-- [mdw]

 

[Russ P.]

Rather than waste more time replying to your post, Let me just refer
you to an excellent post that you may have missed earlier in this
thread by Mr. D'Aprano:

I've responded to that now. (Steven and I can't even agree on a
description for simple parts of Python semantics: why should we agree on
this?)

But I note that you've cunningly avoided responding to my remark that
it's a mistake to conflate the module and class systems. (I think only
Common Lisp gets this right, because it can use its package system to
manage the names of class and instance slots and generic functions.)

Besides, it's not just classes that have internal parts. Python is not
Java: not all functionality is in classes. The proposals I've seen do
nothing for internal variables or functions at module level.

-- [mdw]

I'm not sure what you mean by "conflating module and class systems."
Are you referring to the fact that Java requires each class to be in
its own file of the same name (I don't use Java, but that's what I've
heard)? If so, I agree that is a bad idea.

Actually, I remember reading years ago that Ada gets this right. I've
never used Ada for real work either, but I understand that privacy is
managed according to packages and modules rather than classes. That is
a more flexible approach and makes more sense.

[I realize that Ada is on life support, and I probably sound like a
neanderthal for bringing it up so much, but it actually has many
advanced features that were well ahead of their time -- and still are
to some extent.]

In any case, I have suggested that Python should perhaps get a new
keyword, "private" or "priv". When used inside a class, it would serve
a similar function to what it does in Java, C++, and Scala. If used at
the file scope, it could simply restrict the data or function to that
module. I think that is how Ada works.

 

[Paul Rubin]

[I realize that Ada is on life support, and I probably sound like a
neanderthal for bringing it up so much, but it actually has many
advanced features that were well ahead of their time -- and still are
to some extent.]

I have the impression that there has been an uptick of interest in Ada
due to the availability of GNAT, which appeared on the scene not all
that long ago. I've been interested for a while in using it for
something, but haven't done so yet. The main doc I've read about it
so far is admittedly a sales pitch, but it's enough to make me believe
that writing anything substantial in C or C++ with significant
security or safety consequences is both masochistic and irresponsible:

http://adahome.com/Ammo/cpp2ada.html

I've gotten hold of a couple of Ada books but haven't had the copious
free time to look at them very much yet.

 

[alex23]

If pylint can check access violations, then it seems to me that
someone (who is familiar with the internals of the Python interpreter)
should be able to integrate that feature into Python itself relatively
easily.

If pylint performs the data access protection checks you want, then it
seems to me that it would be a better idea to mandate the use of
pylint on any projects you're working on - either in the IDE or when
checking in to a repository - rather than slow down Python as a whole
by providing functionality that doesn't seem to be in demand by the
majority of users.

I've never understood why so many things "must" reside in the language
itself when the same effect can be achieved through a well written
module.

(And that's not even commenting on the whole "I have no skill in this
area and only second-hand knowledge that it's possible but it's
*obvious* to me that it's trivial and *someone else* should easily be
able to do the work for me!" nature of your post...)

 

[Paul Rubin]

No, no. I meant that if pylint works as its specification says it would.

Oh, I see. Well, that would be ok, except Pylint is not specified as
detecting the types of access that Russ is concerned with. It can't,
for example, flag uses of setattr that might affect a particular
class. That would take something a lot fancier.

 

[Russ P.]

(And that's not even commenting on the whole "I have no skill in this
area and only second-hand knowledge that it's possible but it's
*obvious* to me that it's trivial and *someone else* should easily be
able to do the work for me!" nature of your post...)

I never said or even suggested that anything was "trivial." You must
have imagined that. Also, I am an aerospace engineer, not a computer
scientist, software engineer, or programmer per se.

Since when is no one is allowed to suggest a potential improvement to
a product unless they are willing to implement it themselves? Imagine
what the world would be like if such a rule applied to all products.

 

[James Mills]

Since when is no one is allowed to suggest a potential improvement to
a product unless they are willing to implement it themselves? Imagine
what the world would be like if such a rule applied to all products.

Maybe nobody wants what you want ?
Besides no-one will improve python for you!
Python is a FOSS contributed to by many tedious
laborious hours for little to no financial gain for
the people that have put in the hard work.

So if you insist python must have it, do it yourself )
And for the record, I (and probably 98% of other python developers)
don't want your data protection or encapsulation.

Have a nice day

cheers
James

 

[Terry Reedy]

The compiled code differs.

I *strongly* doubt that. Properties are designed to be transparent to
user code that access atrributes through the usual dotted name notation
precisely so that class code can be changed from
x = ob
to
x = property(get_x, set_x, del_x)
without changing user code.

CPython compiles attribute access to
<load object>
LOAD_ATTR <attr_name>

The code associated with LOAD_ATTR should get the attribute object and
check whether it is a property, in which case it calls the proper method
of the property.

> That doesn't matter if the class is only
accessed from within a single compiled program, but it does matter if you
expose a public interface from a library: if you change a public attribute
into a property then you need to recompile all code which accesses it.

Example to back this claim? Perhaps you have found a bug.

tjr

 

[alex23]

Since when is no one is allowed to suggest a potential improvement to
a product unless they are willing to implement it themselves? Imagine
what the world would be like if such a rule applied to all products.

It wasn't the suggestion so much as the claim that integration of the
behaviour was "relatively easy". Everything is "relatively easy" when
you're not the one doing it.

My mistake for using "trivial" instead, I didn't realise it would trip
up your pedantry.

 

[James Mills]

Rather than waste more time replying to your post, Let me just refer
you to an excellent post that you may have missed earlier in this
thread by Mr. D'Aprano:

http://groups.google.com/group/comp.lang.python/msg/d684d43b64a6e35a

I'll finish reading it tonight Too long
Starts off well though!

--JamesMills

 

[Russ P.]

It wasn't the suggestion so much as the claim that integration of the
behaviour was "relatively easy". Everything is "relatively easy" when
you're not the one doing it.

Here's what I wrote:

If pylint can check access violations, then it seems to me that
someone (who is familiar with the internals of the Python interpreter)
should be able to integrate that feature into Python itself relatively
easily.

If pylint can check for private access violations, then in principle
someone could just add a run-time flag that would run pylint as a
preliminary step to running python. Heck, I am *not* familiar with the
internals of the interpreter, and even I could do that.

My mistake for using "trivial" instead, I didn't realise it would trip
up your pedantry.

Your mistake for being a moron. But it seems to happen regularly,
doesn't it. How much more of my time are you going to waste, loser?

 

[alex23]

If pylint can check for private access violations, then in principle
someone could just add a run-time flag that would run pylint as a
preliminary step to running python. Heck, I am *not* familiar with the
internals of the interpreter, and even I could do that.

So why don't you? Why don't you set up a local command that does it
for you? Why don't you add the check to your repo check in? Why don't
you extend the object class in your site.py to provide the data
protection you want? Why don't you enforce the use of that site.py
across whatever multi-developer Python environment you're
participating in? (You are -actually- working in such an environment,
right, not just wasting our time in pointless conjecture?)

Why don't YOU do SOMETHING other than insist that the community
provide the solution for you?

I always thought this was the major advantage of Python, that so much
effort could be offloaded from the language to third party libraries.
If there is such an urgent itch-to-scratch for data protection, where
are the libs that provide such? There's a lot of funky stuff you can
do with metaclasses.

Your mistake for being a moron. But it seems to happen regularly,
doesn't it. How much more of my time are you going to waste, loser?

You keep saying this and you keep replying. You keep making outlandish
statements and then get angry when people question you. I'm sorry that
using synonyms for words you've written seems to anger you so much.
Have you stopped to consider that maybe it's that very anger which is
rendering you unable to entertain other people's arguments in this
thread? That's my polite way of saying "you're an arrogant and
condescending prick", by the way, just so there's no confusion here.

 

[James Mills]

Your mistake for being a moron. But it seems to happen regularly,
doesn't it. How much more of my time are you going to waste, loser?

I'm sorry Russ, but you insult my friend you die.
You are -in fact- the moron here. I only wish my good friend
and software engineering professor were here to laugh
at this stupidly funny thread.

Please stop replying.