On Mon, 2007-06-11 at 08:29 -0600, John Doty wrote: > On Jun 11, 2007, at 8:10 AM, John Griessen wrote: > > > > > As far as including scheme code to execute and worry about "danger" > > of doing that -- > > go right ahead. Just live with the danger, and create some other > > HID based > > user interface for irresponsible users to play with safely. > > The problem isn't "irresponsible users". It's *malicious* publishers > of symbols. When data has hooks to allow arbitrary code execution, > you're giving virus/trojan creators a free ride. We want to promote > free exchange of symbols, no? The possibility of an infected symbol > would be a real impediment here.
Assuming its even a good idea, we could: Sandbox (probably very hard to get secure without making it useless) Restrict execution paths (ensuring the user knowingly put the symbol somewhere, or added its path to an allowed list. Might be hard to secure?) Sign the code, and require an accepted signature before we execute it. (We'd sign with a private key, and ship public key. For anything new, the user gets to choose. This is similar to other things which execute macros, but seems fairly "complex" - it might also require some co-operation from guile). Peter C _______________________________________________ geda-dev mailing list [email protected] http://www.seul.org/cgi-bin/mailman/listinfo/geda-dev
