Microsoft To Excel Users: Be Careful With That Python (reddit.com) 46
Long-time Slashdot reader theodp spotted a Reddit Ask Me Anything (AMA) this week with the Microsoft engineering team that created Python in Excel, a new feature that makes it possible to natively combine Python and Excel analytics in Excel workbooks. (Copilot integration is coming soon).
Redditors expressed a wish to be able to run Python in environments other than the confines of the locked down, price-to-be-determined Microsoft Azure cloud containers employed by Python in Excel.
But "There were three main reasons behind starting with the cloud (as a GDPR Compliant Microsoft 365 Connected experience) first," MicrosoftExcelTeam explained:
1. Running Python securely on a local machine is a difficult problem. We treat all Python code in the workbook as untrusted, so we execute it in a hypervisor-isolated container on Azure that does not have any outbound network access. Python code and the data that it operates on is sent to be executed in the container. The Microsoft-licensed Python environment in the container is provided by Anaconda and was prepared using their stringent security practices as documented here.
2. Sharing Excel workbooks with others is a really important scenario. We wanted to ensure that the Python code in a workbook you share behaves the same when your teammates open it â" without requiring them to install and manage Python.
3. We need to ensure that the Python in Excel feature always works for our customers. The value of Python is in its ecosystem of libraries, not just in providing a Python interpreter. But managing a local Python environment is challenging even for the most experienced developers. By running on Azure, we remove the need for users or their systems administrators to maintain a local installation of Python on every machine that uses the feature in their organization...
So, how does one balance tradeoffs between increased security and ease-of-maintenance with the loss of functionality and increased costs when it comes to programming language use? Is it okay to just give up on making certain important basic functionality available, as Microsoft is doing here with Python and has done in the past by not supporting Excel VBA in the Cloud and no longer making BASIC available on PCs and Macs?
Microsoft's team added at one point that "For our initial release, we are targeting data analytics scenarios, and bringing the power of Python analytics libraries into Excel.
"We believe the approach weâ(TM)ve taken will appeal to analysts who use both Excel and Python Notebooks in their workflows. Today, these users need to import/export data and have no way of creating a self-contained artifact that can be easily and securely shared with their colleagues."
But "There were three main reasons behind starting with the cloud (as a GDPR Compliant Microsoft 365 Connected experience) first," MicrosoftExcelTeam explained:
1. Running Python securely on a local machine is a difficult problem. We treat all Python code in the workbook as untrusted, so we execute it in a hypervisor-isolated container on Azure that does not have any outbound network access. Python code and the data that it operates on is sent to be executed in the container. The Microsoft-licensed Python environment in the container is provided by Anaconda and was prepared using their stringent security practices as documented here.
2. Sharing Excel workbooks with others is a really important scenario. We wanted to ensure that the Python code in a workbook you share behaves the same when your teammates open it â" without requiring them to install and manage Python.
3. We need to ensure that the Python in Excel feature always works for our customers. The value of Python is in its ecosystem of libraries, not just in providing a Python interpreter. But managing a local Python environment is challenging even for the most experienced developers. By running on Azure, we remove the need for users or their systems administrators to maintain a local installation of Python on every machine that uses the feature in their organization...
So, how does one balance tradeoffs between increased security and ease-of-maintenance with the loss of functionality and increased costs when it comes to programming language use? Is it okay to just give up on making certain important basic functionality available, as Microsoft is doing here with Python and has done in the past by not supporting Excel VBA in the Cloud and no longer making BASIC available on PCs and Macs?
Microsoft's team added at one point that "For our initial release, we are targeting data analytics scenarios, and bringing the power of Python analytics libraries into Excel.
"We believe the approach weâ(TM)ve taken will appeal to analysts who use both Excel and Python Notebooks in their workflows. Today, these users need to import/export data and have no way of creating a self-contained artifact that can be easily and securely shared with their colleagues."
Microsoft doubting Python security (Score:5, Insightful)
Did I read this right? Microsoft considers Python a risk to users of Excel?!?
What colour is this pot and this refrigerator again?
Re:Microsoft doubting Python security (Score:5, Insightful)
Re: Microsoft doubting Python security (Score:2)
Even more so with their language specific formulas as well.
Re: (Score:2)
99% of the vba I come across is terrible, undocumented, and not performant
but usually works in most cases if you can even get your excel to allow it to run
as I've gotten older, I've found that I can usually avoid using vba and more elegantly accomplish my tasks with existing functionality (or just accept having slightly wrong outputs in exchange for clarity and performance where being 100% right isn't important like being off a couple dollars on certain business calculations where the full result is a huge
Re:Microsoft doubting Python security (Score:5, Insightful)
Re: (Score:3)
Managing Python security is something that is a challenge for many people.
"Microsoft To Excel Users: Be Careful With That Python"
"Zookeepers To New Employees: Be Careful With That Python"
"Government Censors to 'Life Of Brian' Producers: Be Careful With That Python"
"Directors To Adult Film Actor: Be Careful With That Python"
"
Re: (Score:3)
Pink Floyd: Careful with that Python, Eugene.
Re: (Score:2)
Re: (Score:2)
Users' *ability* to manage Python securely? Perhaps that's true, but there is always a set of users who will deliberately manage any technology insecurely.
Re: (Score:2)
Probably, How anybody can climb on mountains of ignorance with regards to their own skills is something I am not equipped to understand.
Re: (Score:2)
Microsoft *should* doubt the security of Python in Excel. The introduction of a programming language inherently brings with it security risks. There are no exceptions, every programming language comes with certain security risks.
Re: (Score:2)
To be fair, MS has so much abysmal amateur-level security failures to misdirect away from, they basically have to lie, lie and lie some more, because there simply is no other possibility left. If these people had any integrity, they would just close down their company for all the extreme damage they do.
Well, with the mountain of technological debt the have amassed, I do not think MS has even 20 years before it all comes crashing down and they cannot fix the problem anymore without starting over (and 20 year
Microsoft has been deprecating macros for years (Score:2)
I wrote some really handy and effective "special purpose tools" for excel, with VBA - dialogues that would pop up over the spreadsheet to give you buttons,etc that sped up doing SQL hits, manipulating pivot tables and charts, whatever. There were zillions of special-purpose Excel apps for doing just one thing in an office way more automatically.
Then out comes Excel 2010, and my dialogue vanishes when I click on the spreadsheet. Because they'd gone from every Excel sheet being inside one Excel overall wind
Re: (Score:1)
A DirectX Contender He Entered the Chat (Score:2)
I love how they're adding these features when a) Visual Basic has been available for decades and b) this is going to be a security hole, just like DirectX was.
What could go wrong?
There were three main reasons ... (Score:3)
No, there is one
The cloud is a weapon of control and a recurrent revenue stream
The cloud is a trap, not your friend
Run Away
Re:There were three main reasons ... (Score:5, Insightful)
The cloud is a trap, not your friend
You beat me to it. I was going to say, "And let's not forget the most important reason for implementing this in the cloud first: we hope you get dependent on a feature we can pull out from under you if you ever stop paying."
Re: (Score:2)
... if you only knew Python ...
Re: (Score:2)
... if you only knew Python ...
Always two are there: a master and an apprentice.
Re: (Score:2)
cloud, noun, English: White, fluffy looking stuff made mostly of vapor somewhere in the sky.
klaut, verb, German, homonym to cloud: Imperative plural of klauen, a command to a group to steal something.
Re: (Score:2)
Then how does the processed data get back to the local machine?
Re: There were three main reasons ... (Score:2)
Perl (Score:1)
Re: (Score:3)
Microsoft should have been bolder and added Perl to Excel. It would have been a perfect $match.
Owwww; Where is the "-1 Funny" button?
Treating it as "untrusted", in the usual way? (Score:3)
I.e. simply refusing to execute it unless the user realizes that the worksheet is utterly useless without, but as soon as he clicks "yeah, run that shit" he's the one to blame, even though an informed decision is completely impossible since you give him no information? That kind of untrusted?
Re: (Score:2)
You don't even have to follow a link, it's in the summary. Even right after the word "untrusted." I won't spoil it for you, but you might have to consider what the word "so" means.
We treat all Python code in the workbook as untrusted, so . . .
I'm pretty skeptical what they're doing is actually more secure than a local container. The complexity will probably open them up to all kinds of ironic security problems down the line. It probably monetizes better though.
Re: (Score:2)
I.e. simply refusing to execute it unless the user realizes that the worksheet is utterly useless without, but as soon as he clicks "yeah, run that shit" he's the one to blame, even though an informed decision is completely impossible since you give him no information? That kind of untrusted?
Yes that one. You mock, but this process has decimated an class of viral infections that used to spread via Office documents. Not automatically executing code is *a good thing*, and while the majority of users are idiots that will click run on anything that stops something working as intended, you unintentionally hit the core part here: "The user realises that the worksheet is useless without". If a worksheet doesn't look like it's relevant to the user, most users won't touch it further.
There's a reason thi
Container yes, cloud no (Score:3)
So there is some logic to having a container with no outbound network connection run the code. Excel does not have the same broad catalog of 3rd party libraries that Python does. So even though VBA has definitely had security issues, it is not a bad idea to limit Python's execution to a container.
That's where reasonable ends and the annoying part starts. I can't understand why Excel can't instantiate the same container locally, with the same restrictions on outbound traffic. At a guess, they didn't want to deal with managing the containers, and Anaconda is looking for ways to get license revenue.
The other problem is that when the data frame is instantiated in Python, it is encapsulated as an understand set of data. Allowing that data frame to be edited by the Excel UI opens up pretty complex scenarios of concurrency and confusion about data lineage.
There are definitely times when one wants to do something to a data frame, then pass it on for manual editing (often to another user), then resume working on it. On the whole that kind of thing is much easier to keep track of in systems like DBT or Dremio.
Re: (Score:2)
What is local? This feature is only available in Microsoft 365. It's literally a cloud feature because the underlying product is a cloud product.
It's all fun and games (Score:2)
Until some "data scientist" hands you an excel workbook that they somehow managed to get hosting a Flask REST service.
Re: (Score:2)
Until some "data scientist" hands you an excel workbook that they somehow managed to get hosting a Flask REST service.
I'll worry about that once there's a playable version of Doom in Excel.
Build it into Calc? (Score:2)
Re: (Score:2)
What a horrible thing to suggest. I'm all for a simple macro language but Python? Ugh...
Re: (Score:2)
Redditors expressed a wish to be able to run Python in environments other than the confines of the locked down, price-to-be-determined Microsoft Azure cloud containers employed by Python in Excel.
But running Python was exactly what was asked for in the original article!
Re: (Score:2)
That doesn't make it any less horrible!
Of course you need the cloud (Score:2)
There is absolutely no way to ship Excel with a given version of python, it is impossible to use virtualenv to allow libraries with fixed versions, and creating a virtualization container is completely unheard of.
Bad joke aside, I see nothing in that list of argument that can't be done client-side. Safely. With ful
Did the Virtualization Based Security team quit? (Score:2)
But the truth is simple: Microsoft wants to stop writing native frontend software and is gearing up to turn everything into webview2-powered web apps. That is what New Outlook is already, complete with PST support and client-side filters removed!
What now, risk? (Score:1)
Oh that's rich. So it runs on Azure so your data is sent up and down to some Azure thing you do not have a single idea of what that is doing to your stuff in the first place. Second of all what's up Microsoft dissing people that are smart enough to run a Python extension locally but not smart enough to realize the risks? How about running VBA macros, Microsoft?
Besides. What's the risk of running Microsoft Windows in the first place? Oh. Yes. We're dumb enough not to understand that risk...
Why couldn't you do this ages ago? (Score:2)
Microsoft has the concept of pluggable scripting languages in their OS and products. It's called "Active Scripting". I haven't had to touch IIS in a long time, but last time I did, it was trivial to add Active versions of Perl and Python to your server, and then you could use those languages in ASP. What's more, you could actually mix languages within a single ASP page, by simply including multiple script blocks with different languages specified. It's quite pathetic that you couldn't use the same functiona
Re: (Score:2)
You can. Just not in substandard office packages like the crap MS makes. LibreOffice uses Python as scripting language.
Not new (Score:2)
> a new feature that makes it possible to natively combine Python and Excel
That's not a new feature by LibreCalc standards, looks like python support has been there well over a decade. The wording should really reflect that Excel is late to the game here.
Re: (Score:2)
Well, to be fair, MS is late to almost every game. And when they are not, they fuck things up. (Obviously, in many cases, they do both.)
Hey there guys (Score:1)
Running Python securely on a local machine (Score:2)
You can also install Anaconda locally. Problem solved, Microsoft.