Robin, Thanks for expanding, your point makes much more sense now (and seems much more reasonable :P ). There are some responses below (after the quote):
On Wed, Jun 17, 2009 at 9:10 AM, Robin Mills <[email protected]> wrote: > > However it might be nice if Python was able to refuse to run scripts which > don't have a valid digital certificate - and that would make "alien" scripts > less dangerous. > > So it all adds up to "The issue is with Python, not Phatch". > We could put something in to check scripts against a "verified good" phatch "app store". Its not that hard to do an hmac thats digitally signed with the phatchdev private key. This is close to trivial to write, particularly if we use a nice framework like keyczar from google. Of course then we can only verify official action lists -- which is a game we may not want to play. As for where the issue lies id put equal parts of it in phatch, python, and the current computing model. Phatch -- we want to run arbitrary external scripts and programs which is isomorphic to running untrusted code. This desire introduces the issue to begin with. Python -- no buitin code signing, no restricted shell execution environment. Computing model: too much power to each process/program, no good way of reliably restricting things, too much interdependence resulting in all or nothing permissions models in the real world. Regards, Erich
_______________________________________________ Mailing list: https://launchpad.net/~phatch-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~phatch-dev More help : https://help.launchpad.net/ListHelp
