[spyne] [Soap-Python] soap library for python-3.x

Burak Arslan burak.arslan at arskom.com.tr
Mon May 19 13:40:31 UTC 2014


Hello All,

And as you may know, I maintain Spyne. I also wrote most of it. Also,
correct me if I'm wrong here, Spyne is the oldest maintained Soap
codebase written in Python. It's also WS-I compliant.

First, this long post won't conclude that Spyne is best and we should
all use it. I'll say something different. Please read on.

I'm sure we all agree that implementing a SOAP library is a huge
undertaking. Implementing SOAP really means implementing Xml Schema,
Wsdl 1.1 Wsdl 2.0 Soap 1.1 and Soap 1.2 standards, both in a client and
server setting.

Implementing daemons in Python is also a minefield. Depending on the
project requirements, you need to use gevent, twisted or WSGI and learn
about quirks of its many implementations etc.

Without a proper abstraction in place, it is very difficult to switch
between these.

Spyne is not just a Soap library anymore, it also became that
abstraction. Because that's what I had fun working on. There's more than
1000 commit difference between 2.10 and 2.11. There's a lot more goodies
in there but lower level efforts make up the bigger part of the 2.11 effort.

So if you go your your own way and re-implement Soap from the ground up,
you'll run into the issues we already ran into, and you'll have to deal
with them just like we had to. Perhaps you'll end up with a more
complete Soap implementation than Spyne, but you'll also have a less
robust RPC codebase than Spyne.

A couple of concrete examples:

1) For an xsd:sequence (the default class declaration method in both
soapbox and spyne) to pass validation, the tags in it must be *in the
same order it's defined in the wsdl document*.

I'm looking at this example and seeing the same naive mistake that we
did in Spyne:

https://github.com/FelixSchwarz/soapbox-bsd/blob/master/examples/xml_complex_types.py

The field order in the sequence is defined by the dict passed to
xsd.ComplexType metaclass. The order in python dicts are *random* and
change according to a wild array of factors, especially now that we have
PYTHONHASHSEED=random as an option. So when you add an innocent new
field to an existing object declaration, be ready to have all cached
wsdl documents invalidated.

See https://github.com/arskom/spyne/pull/313 and
https://github.com/arskom/spyne/pull/343 to see how we solved that
problem. Fixing it in Python 2 wasn't easy!

2) what are your precautions for parsing XML documents from untrusted
sources?

https://github.com/FelixSchwarz/soapbox-bsd/blob/31aff9f5825f1d6520a84bd938663851a45b5a03/soapbox/xsd.py#L859

None, from what I can tell.

This part of spyne documentation is full of security-related xml links:
http://spyne.io/docs/2.10/reference/protocol/xml.html#spyne.protocol.xml._base.XmlDocument

The most famous one: https://en.wikipedia.org/wiki/Billion_laughs

3) Are you using incremental xml generation? Can you produce a 8
gigabyte xml document without having it all in memory with SoapBox?
Apparently not:

https://github.com/FelixSchwarz/soapbox-bsd/blob/31aff9f5825f1d6520a84bd938663851a45b5a03/soapbox/xsd.py#L920

With Spyne 2.11, you can, thanks to lxml's incremental generation api.

I could go on and on.

(The above points also apply to PySimpleSoap but I'm don't want to
compare it with Spyne as PySimpleSoap's code is really naive and
seemingly deliberately so as it says simple right there in the project's
name. I feel the two projects serve two very different audiences. )

So my point is: If you go and make rude statements like this:

On 05/09/14 17:30, Felix Schwarz wrote:
> (Disclaimer: I'm one of the maintainers of "soapbox-bsd".)
>
> I think you should check out soapbox-bsd which is the only real option for
> server-side SOAP in Python: https://github.com/FelixSchwarz/soapbox-bsd

you're not doing open source. (only *real* option? come on, Felix
Schwarz, you shouldn't be so full of yourself)

Open source is about collaboration. What I'm seeing so far is not a
willingness to collaborate but wasteful chest-pounding fed by ignorance
about the delicacies of our craft I'm sadly used to see in corporate
environments.

You may or may not like Spyne, or PySimpleSoap or, soapbox, (or Ladon,
it did Soap with Python last time I looked as well). None of them are
perfect. But you must recognise that 1) everybody will benefit from
unifying these efforts. 2) our lives will be made easier once the
iniatial integration works are done with, because now we're a team.

So here's what I suggest: Let's put our egos aside, look at each other's
code, identify the strengths of each project, make sacrifices and unify 
Soap efforts in Python.

If doing my part will mean doing a git rm -r spyne/protocol/soap or git
rm -r spyne/interface/wsdl and simply import an adapter for SoapBox when
importing spyne.protocol.soap, i'll do it, provided it will result in a
better Soap experience for Spyne users.

So, awaiting your feedback.

Best regards,
Burak




More information about the people mailing list