On Tuesday, February 11, 2014 5:13:59 PM UTC-6, henrik lindberg wrote: > > > I am not so hot on marking if a resource reference is for a plugin type > or a user defined type - but I am for separating Class from the rest. > >
I think separating classes from other types is a fine idea, considering that implementation notwithstanding, on the DSL side classes have a few important characteristics that distinguish them from resources. I also think that there is some value in marking defined types to distinguish them from plugins. Performance considerations aside, I find it troubling that the agent can be induced to load random Ruby code by dropping it in a file named after a defined type in an incoming catalog. The issue is mitigated by the fact that Puppet's lib directory is normally subject to access controls making user privilege required to execute such an attack, but I'm nevertheless inclined to favor defense in depth. John -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/2215fb5c-fc54-48e0-8e68-7e212debebac%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
