On Mon, 15 Dec 2008 17:09:58 -0200 "Gustavo Sverzut Barbieri" <barbi...@profusion.mobi> babbled:
> > Give a look at Edgar as probably we need to discuss some security issue ;) > > yes, executing shell from scripts is too bad.... tooooo bad! indeed. VERY BAD. modules are low-level things, compiled and thus they come with the known ability to be "insecure" - ie can run stuff, modify and delete files etc. a module like edgar that provided an api (lua for example) and with k-s's suggestion of data providers etc. in a "organised safe way" would be good. the problem is a lot of things might want arbitrary network io or disk io access and this is a security problem when people just "download at a click of a button". providing a sandbox where anything the module does can be limited to "innocuous" actions is good. also something like lua is small and fast AND can be sandboxed, and avoids needing a compile thus this will work. themes and wallpapers work because they are platform-agnostic. they work everywhere edje works. modules need compiling and imho probably will always be distributed as system packages (.deb or .rpm or whatever) or compiled by people. providing a module like edgar that acts as a stepping-stone to a "safe execution environment" for stuff is the right thing. nb - edje itself should not do this. it is a theme/ui abstraction layer. not a programming environment. what you'd want is a lua script COMBINED with a edje file (the lua can be tagged into the .edj file as an extra data key and run from there by an "edgar" module). so.. the gates are open to do it. it's not on the e17 release todo - but its orthogonal. it can be done any time as a module. my recommendation would be lua - as it's targetted for use in edje sometime (in the nearish future) to eventually replace embryo. lua is a damn good language for these small things. the python people of the world of course will say python is the best thing (it definitely is much larger and heavier than lua) but i think python fits a completely different development realm - closer to the "writing a full app in c/c++" realm, but for those not confident in c/c++ or requiring portability from the start without compiling. > if we had lua already, I'd say we should execute sandboxed lua > scripts, since we do not (and possible will not in near future) we > should figure out which kind of commands we'd need and expose them in > embryo, just for edgard modules (I suppose this is possible). > > maybe be flexible enough to do things like store db (sqlite3) values > for game scores or bare minimum preferences and download urls + > regular expressions to parse them, maybe some dbus calls. it's hard to > say without trying to do some modules and coming with requirements. > > KDE guys have this for plasma as "data providers", they have a bunch > of available providers like some to report system status from /sys, > including cpu, memory and cpu (they use their own abstraction called > "solid"). > > splitting our existing modules in providers and views could be useful, > but it's a huge work and I don't know someone is willing to take that. > Maybe it would be easier to just write a hal bridge to embryo and use > generic calls like get_hal_int(property_name), > get_hal_float(property_name)... > > -- > Gustavo Sverzut Barbieri > http://profusion.mobi embedded systems > -------------------------------------- > MSN: barbi...@gmail.com > Skype: gsbarbieri > Mobile: +55 (19) 9225-2202 > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > enlightenment-devel mailing list > enlightenment-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) ras...@rasterman.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
