@@ -11,7 +11,7 @@ msgid ""
1111msgstr ""
1212"Project-Id-Version : Python 3.14\n "
1313"Report-Msgid-Bugs-To : \n "
14- "POT-Creation-Date : 2026-03-23 14:50 +0000\n "
14+ "POT-Creation-Date : 2026-04-03 14:38 +0000\n "
1515"PO-Revision-Date : 2025-09-16 00:00+0000\n "
1616"Last-Translator : python-doc bot, 2025\n "
1717"Language-Team : Polish (https://app.transifex.com/python-doc/teams/5390/pl/)\n "
@@ -863,3 +863,78 @@ msgid ""
863863"Resume the process (if suspended). The script will execute at the next safe "
864864"evaluation point."
865865msgstr ""
866+
867+ msgid "Security and threat model"
868+ msgstr ""
869+
870+ msgid ""
871+ "The remote debugging protocol relies on the same operating system primitives "
872+ "used by native debuggers such as GDB and LLDB. Attaching to a process "
873+ "requires the **same privileges** that those debuggers require, for example "
874+ "``ptrace`` / Yama LSM on Linux, ``task_for_pid`` on macOS, and "
875+ "``SeDebugPrivilege`` on Windows. Python does not introduce any new "
876+ "privilege escalation path; if an attacker already possesses the permissions "
877+ "needed to attach to a process, they could equally use GDB to read memory or "
878+ "inject code."
879+ msgstr ""
880+
881+ msgid ""
882+ "The following principles define what is, and is not, considered a security "
883+ "vulnerability in this feature:"
884+ msgstr ""
885+
886+ msgid "Attaching requires OS-level privileges"
887+ msgstr ""
888+
889+ msgid ""
890+ "On every supported platform the operating system gates cross-process memory "
891+ "access behind privilege checks (``CAP_SYS_PTRACE``, root, or administrator "
892+ "rights). A report that demonstrates an issue only after these privileges "
893+ "have already been obtained is **not** a vulnerability in CPython, since the "
894+ "OS security boundary was already crossed."
895+ msgstr ""
896+
897+ msgid ""
898+ "Crashes or memory errors when reading a compromised process are not "
899+ "vulnerabilities"
900+ msgstr ""
901+
902+ msgid ""
903+ "A tool that reads internal interpreter state from a target process must "
904+ "trust that memory to be well-formed. If the target process has been "
905+ "corrupted or is controlled by an attacker, the debugger or profiler may "
906+ "crash, produce garbage output, or behave unpredictably. This is the same "
907+ "risk accepted by every ``ptrace``-based debugger. Bugs in this category "
908+ "(buffer overflows, segmentation faults, or undefined behaviour triggered by "
909+ "reading corrupted state) are **not** treated as security issues, though "
910+ "fixes that improve robustness are welcome."
911+ msgstr ""
912+
913+ msgid "Vulnerabilities in the target process are not in scope"
914+ msgstr ""
915+
916+ msgid ""
917+ "If the Python process being debugged has already been compromised, the "
918+ "attacker already controls execution in that process. Demonstrating further "
919+ "impact from that starting point does not constitute a vulnerability in the "
920+ "remote debugging protocol."
921+ msgstr ""
922+
923+ msgid "When to use ``PYTHON_DISABLE_REMOTE_DEBUG``"
924+ msgstr ""
925+
926+ msgid ""
927+ "The environment variable :envvar:`PYTHON_DISABLE_REMOTE_DEBUG` (and the "
928+ "equivalent :option:`-X disable_remote_debug` flag) allows operators to "
929+ "disable the in-process side of the protocol as a **defence-in-depth** "
930+ "measure. This may be useful in hardened or sandboxed deployment "
931+ "environments where no debugging or profiling of the process is expected and "
932+ "reducing attack surface is a priority, even though the OS-level privilege "
933+ "checks already prevent unprivileged access."
934+ msgstr ""
935+
936+ msgid ""
937+ "Setting this variable does **not** affect other OS-level debugging "
938+ "interfaces (``ptrace``, ``/proc``, ``task_for_pid``, etc.), which remain "
939+ "available according to their own permission models."
940+ msgstr ""
0 commit comments