Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Python Microsoft

Microsoft To Excel Users: Be Careful With That Python (reddit.com) 46

Long-time Slashdot reader theodp spotted a Reddit Ask Me Anything (AMA) this week with the Microsoft engineering team that created Python in Excel, a new feature that makes it possible to natively combine Python and Excel analytics in Excel workbooks. (Copilot integration is coming soon). Redditors expressed a wish to be able to run Python in environments other than the confines of the locked down, price-to-be-determined Microsoft Azure cloud containers employed by Python in Excel.

But "There were three main reasons behind starting with the cloud (as a GDPR Compliant Microsoft 365 Connected experience) first," MicrosoftExcelTeam explained:

1. Running Python securely on a local machine is a difficult problem. We treat all Python code in the workbook as untrusted, so we execute it in a hypervisor-isolated container on Azure that does not have any outbound network access. Python code and the data that it operates on is sent to be executed in the container. The Microsoft-licensed Python environment in the container is provided by Anaconda and was prepared using their stringent security practices as documented here.

2. Sharing Excel workbooks with others is a really important scenario. We wanted to ensure that the Python code in a workbook you share behaves the same when your teammates open it â" without requiring them to install and manage Python.

3. We need to ensure that the Python in Excel feature always works for our customers. The value of Python is in its ecosystem of libraries, not just in providing a Python interpreter. But managing a local Python environment is challenging even for the most experienced developers. By running on Azure, we remove the need for users or their systems administrators to maintain a local installation of Python on every machine that uses the feature in their organization...



So, how does one balance tradeoffs between increased security and ease-of-maintenance with the loss of functionality and increased costs when it comes to programming language use? Is it okay to just give up on making certain important basic functionality available, as Microsoft is doing here with Python and has done in the past by not supporting Excel VBA in the Cloud and no longer making BASIC available on PCs and Macs?

Microsoft's team added at one point that "For our initial release, we are targeting data analytics scenarios, and bringing the power of Python analytics libraries into Excel.

"We believe the approach weâ(TM)ve taken will appeal to analysts who use both Excel and Python Notebooks in their workflows. Today, these users need to import/export data and have no way of creating a self-contained artifact that can be easily and securely shared with their colleagues."
This discussion has been archived. No new comments can be posted.

Microsoft To Excel Users: Be Careful With That Python

Comments Filter:
  • by KiloByte ( 825081 ) on Saturday September 30, 2023 @03:45PM (#63890293)

    Did I read this right? Microsoft considers Python a risk to users of Excel?!?
    What colour is this pot and this refrigerator again?

    • by korgitser ( 1809018 ) on Saturday September 30, 2023 @03:52PM (#63890309)
      Well, Excel is a risk to Excel users. Python is an extension to that.
      • Even more so with their language specific formulas as well.

      • 99% of the vba I come across is terrible, undocumented, and not performant

        but usually works in most cases if you can even get your excel to allow it to run

        as I've gotten older, I've found that I can usually avoid using vba and more elegantly accomplish my tasks with existing functionality (or just accept having slightly wrong outputs in exchange for clarity and performance where being 100% right isn't important like being off a couple dollars on certain business calculations where the full result is a huge

    • by Retired Chemist ( 5039029 ) on Saturday September 30, 2023 @04:19PM (#63890365)
      No, they are doubting users' ability to manage Python security. That is something very different.
      • by Rei ( 128717 )

        Managing Python security is something that is a challenge for many people.

        "Microsoft To Excel Users: Be Careful With That Python"

        "Zookeepers To New Employees: Be Careful With That Python"

        "Government Censors to 'Life Of Brian' Producers: Be Careful With That Python"

        "Directors To Adult Film Actor: Be Careful With That Python"

        "

        • by timelorde ( 7880 )

          Pink Floyd: Careful with that Python, Eugene.

        • by segin ( 883667 )
          The last two are basically the same if you think about it. Sure, Monty Python, but the "opening the windows as Brian wakes" scene makes it clear it's not that Python you're talking about.
      • Users' *ability* to manage Python securely? Perhaps that's true, but there is always a set of users who will deliberately manage any technology insecurely.

      • by gweihir ( 88907 )

        Probably, How anybody can climb on mountains of ignorance with regards to their own skills is something I am not equipped to understand.

    • Microsoft *should* doubt the security of Python in Excel. The introduction of a programming language inherently brings with it security risks. There are no exceptions, every programming language comes with certain security risks.

    • by gweihir ( 88907 )

      To be fair, MS has so much abysmal amateur-level security failures to misdirect away from, they basically have to lie, lie and lie some more, because there simply is no other possibility left. If these people had any integrity, they would just close down their company for all the extreme damage they do.

      Well, with the mountain of technological debt the have amassed, I do not think MS has even 20 years before it all comes crashing down and they cannot fix the problem anymore without starting over (and 20 year

  • I wrote some really handy and effective "special purpose tools" for excel, with VBA - dialogues that would pop up over the spreadsheet to give you buttons,etc that sped up doing SQL hits, manipulating pivot tables and charts, whatever. There were zillions of special-purpose Excel apps for doing just one thing in an office way more automatically.

    Then out comes Excel 2010, and my dialogue vanishes when I click on the spreadsheet. Because they'd gone from every Excel sheet being inside one Excel overall wind

    • Corporations lock down all the features of office, then hire people to reimplement the features it has already built in, without enabling any of those features natively because 'security' with blanket ban all policies. I've seen it over and over in my career.
  • I love how they're adding these features when a) Visual Basic has been available for decades and b) this is going to be a security hole, just like DirectX was.

    What could go wrong?

  • by MpVpRb ( 1423381 ) on Saturday September 30, 2023 @04:16PM (#63890353)

    No, there is one
    The cloud is a weapon of control and a recurrent revenue stream
    The cloud is a trap, not your friend
    Run Away

  • by Anonymous Coward
    Microsoft should have been bolder and added Perl to Excel. It would have been a perfect $match.
    • by cstacy ( 534252 )

      Microsoft should have been bolder and added Perl to Excel. It would have been a perfect $match.

      Owwww; Where is the "-1 Funny" button?

  • by Opportunist ( 166417 ) on Saturday September 30, 2023 @05:05PM (#63890467)

    I.e. simply refusing to execute it unless the user realizes that the worksheet is utterly useless without, but as soon as he clicks "yeah, run that shit" he's the one to blame, even though an informed decision is completely impossible since you give him no information? That kind of untrusted?

    • You don't even have to follow a link, it's in the summary. Even right after the word "untrusted." I won't spoil it for you, but you might have to consider what the word "so" means.

      We treat all Python code in the workbook as untrusted, so . . .

      I'm pretty skeptical what they're doing is actually more secure than a local container. The complexity will probably open them up to all kinds of ironic security problems down the line. It probably monetizes better though.

    • I.e. simply refusing to execute it unless the user realizes that the worksheet is utterly useless without, but as soon as he clicks "yeah, run that shit" he's the one to blame, even though an informed decision is completely impossible since you give him no information? That kind of untrusted?

      Yes that one. You mock, but this process has decimated an class of viral infections that used to spread via Office documents. Not automatically executing code is *a good thing*, and while the majority of users are idiots that will click run on anything that stops something working as intended, you unintentionally hit the core part here: "The user realises that the worksheet is useless without". If a worksheet doesn't look like it's relevant to the user, most users won't touch it further.

      There's a reason thi

  • by electroniceric ( 468976 ) on Saturday September 30, 2023 @06:04PM (#63890563)

    So there is some logic to having a container with no outbound network connection run the code. Excel does not have the same broad catalog of 3rd party libraries that Python does. So even though VBA has definitely had security issues, it is not a bad idea to limit Python's execution to a container.

    That's where reasonable ends and the annoying part starts. I can't understand why Excel can't instantiate the same container locally, with the same restrictions on outbound traffic. At a guess, they didn't want to deal with managing the containers, and Anaconda is looking for ways to get license revenue.

    The other problem is that when the data frame is instantiated in Python, it is encapsulated as an understand set of data. Allowing that data frame to be edited by the Excel UI opens up pretty complex scenarios of concurrency and confusion about data lineage.

    There are definitely times when one wants to do something to a data frame, then pass it on for manual editing (often to another user), then resume working on it. On the whole that kind of thing is much easier to keep track of in systems like DBT or Dremio.

    • What is local? This feature is only available in Microsoft 365. It's literally a cloud feature because the underlying product is a cloud product.

  • Until some "data scientist" hands you an excel workbook that they somehow managed to get hosting a Flask REST service.

    • Until some "data scientist" hands you an excel workbook that they somehow managed to get hosting a Flask REST service.

      I'll worry about that once there's a playable version of Doom in Excel.

  • Maybe somebody could patch the OpenOffice/LibreOffice spreadsheet program ("Calc"?) to interface with a local install of Python.
    • by narcc ( 412956 )

      What a horrible thing to suggest. I'm all for a simple macro language but Python? Ugh...

      • by kmoser ( 1469707 )

        Redditors expressed a wish to be able to run Python in environments other than the confines of the locked down, price-to-be-determined Microsoft Azure cloud containers employed by Python in Excel.

        But running Python was exactly what was asked for in the original article!

  • Because everyone know it is impossible to run an isolated application on the client, and you need to depend on some system wide python with an unknown version and access to your whole machine.
    There is absolutely no way to ship Excel with a given version of python, it is impossible to use virtualenv to allow libraries with fixed versions, and creating a virtualization container is completely unheard of.
    Bad joke aside, I see nothing in that list of argument that can't be done client-side. Safely. With ful
  • This could be ran quite safely using VBS on Windows or Apple Hypervisor Framework on macOS. The entire spreadsheet could be exposed as objects, and Python could then manipulate anything quite safely without needing Azure.

    But the truth is simple: Microsoft wants to stop writing native frontend software and is gearing up to turn everything into webview2-powered web apps. That is what New Outlook is already, complete with PST support and client-side filters removed!
  • Oh that's rich. So it runs on Azure so your data is sent up and down to some Azure thing you do not have a single idea of what that is doing to your stuff in the first place. Second of all what's up Microsoft dissing people that are smart enough to run a Python extension locally but not smart enough to realize the risks? How about running VBA macros, Microsoft?

    Besides. What's the risk of running Microsoft Windows in the first place? Oh. Yes. We're dumb enough not to understand that risk...

  • Microsoft has the concept of pluggable scripting languages in their OS and products. It's called "Active Scripting". I haven't had to touch IIS in a long time, but last time I did, it was trivial to add Active versions of Perl and Python to your server, and then you could use those languages in ASP. What's more, you could actually mix languages within a single ASP page, by simply including multiple script blocks with different languages specified. It's quite pathetic that you couldn't use the same functiona

    • by gweihir ( 88907 )

      You can. Just not in substandard office packages like the crap MS makes. LibreOffice uses Python as scripting language.

  • > a new feature that makes it possible to natively combine Python and Excel

    That's not a new feature by LibreCalc standards, looks like python support has been there well over a decade. The wording should really reflect that Excel is late to the game here.

    • by gweihir ( 88907 )

      Well, to be fair, MS is late to almost every game. And when they are not, they fuck things up. (Obviously, in many cases, they do both.)

  • Hey there guys. Can someone here please help me as I don't really know where it's better to buy and download Microsoft office [gosoftwarebuy.com] right now... There are a lot of different resources on the internet but I still don't know what to choose so I hope that someone here will be able to recommend me something trustworthy.
  • The Microsoft-licensed Python environment in the container is provided by Anaconda and was prepared using their stringent security practices as documented here.

    You can also install Anaconda locally. Problem solved, Microsoft.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...