Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Matt Welland]

On Mon, Feb 13, 2012 at 7:26 PM, Leo Razoumov  wrote:

> On Mon, Feb 13, 2012 at 18:30, Gé Weijers  wrote:
> > On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett 
> > wrote:
> >>
> >> Joe Mistachkin has recently added support for calling TH1 scripts on
> >> certain actions.
> >> See http://www.fossil-scm.org/index.html/info/0b61e3c019
> >>
> >> In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these
> >> scripts has the full power of Jim Tcl, including exec.
> >>
> >
> > This sounds a whole lot like mobile code. I was left wondering: would it
> be
> > enough to do a 'fossil clone ' to download a malware script
> > onto my system? How is this capability secured?
>
> Are TH1 and Tcl interpreters properly sand-boxed? Otherwise,
> downloading and running random scripts found in some random repos does
> not strike me as a sound security.
>

I don't know what others plan on doing with this but in no usage that I can
think of would automatically syncing the scripts to another repo make
sense. Perhaps they could come across on a config pull.



> --Leo--
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Leo Razoumov]

On Mon, Feb 13, 2012 at 18:30, Gé Weijers  wrote:
> On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett 
> wrote:
>>
>> Joe Mistachkin has recently added support for calling TH1 scripts on
>> certain actions.
>> See http://www.fossil-scm.org/index.html/info/0b61e3c019
>>
>> In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these
>> scripts has the full power of Jim Tcl, including exec.
>>
>
> This sounds a whole lot like mobile code. I was left wondering: would it be
> enough to do a 'fossil clone ' to download a malware script
> onto my system? How is this capability secured?

Are TH1 and Tcl interpreters properly sand-boxed? Otherwise,
downloading and running random scripts found in some random repos does
not strike me as a sound security.

--Leo--
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Nolan Darilek]

Maybe make them a config area that must be explicitly pushed, pulled or 
synced along with skins, users, etc.? (Assuming that isn't how they're 
already implemented.)



On 02/13/2012 05:37 PM, Steve Bennett wrote:

On 14/02/2012, at 9:30 AM, Gé Weijers wrote:




On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett 
mailto:ste...@workware.net.au>> wrote:


Joe Mistachkin has recently added support for calling TH1 scripts
on certain actions.
See http://www.fossil-scm.org/index.html/info/0b61e3c019

In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of
these scripts has the full power of Jim Tcl, including exec.


This sounds a whole lot like mobile code. I was left wondering: would 
it be enough to do a 'fossil clone ' to download a malware 
script

onto my system? How is this capability secured?


I'm sure Joe could tell you how it is implemented, but I don't see how 
it would
make any sense to clone these scripts. Aren't some settings 
transferred with clone and some not?

Surely these are in the "not" group.

Cheers,
Steve
--
µWeb: Embedded Web Framework - http://uweb.workware.net.au/
WorkWare Systems Pty Ltd
W: www.workware.net.au   P: +61 434 
921 300
E: ste...@workware.net.au    F: +61 7 
3391 6002








___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users


___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Steve Bennett]

On 14/02/2012, at 9:30 AM, Gé Weijers wrote:

> 
> 
> On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett  wrote:
> Joe Mistachkin has recently added support for calling TH1 scripts on certain 
> actions.
> See http://www.fossil-scm.org/index.html/info/0b61e3c019
> 
> In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these scripts 
> has the full power of Jim Tcl, including exec.
> 
> 
> This sounds a whole lot like mobile code. I was left wondering: would it be 
> enough to do a 'fossil clone ' to download a malware script
> onto my system? How is this capability secured?

I'm sure Joe could tell you how it is implemented, but I don't see how it would
make any sense to clone these scripts. Aren't some settings transferred with 
clone and some not?
Surely these are in the "not" group.

Cheers,
Steve
--
µWeb: Embedded Web Framework - http://uweb.workware.net.au/
WorkWare Systems Pty Ltd
W: www.workware.net.au  P: +61 434 921 300
E: ste...@workware.net.au   F: +61 7 3391 6002





___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Gé Weijers]

On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett wrote:

> Joe Mistachkin has recently added support for calling TH1 scripts on
> certain actions.
> See http://www.fossil-scm.org/index.html/info/0b61e3c019
>
> In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these
> scripts has the full power of Jim Tcl, including exec.
>
>
This sounds a whole lot like mobile code. I was left wondering: would it be
enough to do a 'fossil clone ' to download a malware script
onto my system? How is this capability secured?

-- 
Gé
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Joe Mistachkin]

The current Fossil trunk is capable of using TH1 and Tcl in tandem.

First, during configure, enable Tcl support using:

./configure --with-tcl=/path/to/tcl

Then, make sure the "tcl" setting is enabled for the repository (or
globally).

fossil settings tcl 1

Finally, in the TH1 script, you can use:

tclEval {puts stdout "[clock seconds]"}
tclInvoke puts stdout "via Tcl invoke"
tclExpr 2+2

To obtain the full path and file name of the Fossil repository, the TH1
"repository" command may be used:

tclInvoke set repository_name [repository 1]

Also, Tcl can evaluate TH1 scripts as well:

tclInvoke th1Eval {set y "two words"}
tclInvoke th1Expr {2+2}
tclEval {set repository_name [th1Eval repository 1]}

When evaluating Tcl scripts from TH1, all Tcl commands and packages (e.g.
SQLite)
that would be available from tclsh are available in addition to the TH1
specific
commands th1Eval and th1Expr.

--
Joe Mistachkin

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Steve Bennett]

On 14/02/2012, at 7:38 AM, Matt Welland wrote:

> 
> 
> On Mon, Feb 13, 2012 at 1:43 PM, Steve Bennett  wrote:
> 
> On 14/02/2012, at 4:22 AM, Matt Welland wrote:
> 
>> I think it may be very useful if it was possible to call tcl scripts stored 
>> in the repo db (revision controlled files or wiki pages?) at pre/post commit 
>> and other interesting times. I know hooks were previously not accepted since 
>> making things consistent between Windows and Linux was difficult.  But that 
>> concern should be addressed if the hooks call tcl or th1 scripts instead of 
>> directly sending commands to the OS. It looks like jimtcl supplies os.fork, 
>> os.wait etc. but I didn't see a posix system, can jimtcl run commands on 
>> Unix?
> 
> Yes, indeed!
> 
> You want the 'exec' command - 
> http://jim.tcl.tk/fossil/doc/trunk/Tcl_shipped.html#_exec
> 
> You can try this out with the 'jimtcl' branch of fossil.
> 
> Hi Steve,
> 
> This sounds cool, so is the mechanism to call a jimtcl routine implemented on 
> various actions and if so then how do I, for example, call a tcl script when 
> sync is completed?

Joe Mistachkin has recently added support for calling TH1 scripts on certain 
actions.
See http://www.fossil-scm.org/index.html/info/0b61e3c019

In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these scripts has 
the full power of Jim Tcl, including exec.

There is some ongoing work to be done to identify other points where a script 
could/should be called,
what information is available to the script, and what the script can do.

One thing I would like to see is a Tcl interface into fossil so that scripts 
can do queries against fossil without
resorting to direct sql.

Cheers,
Steve

> 
> Thanks,
> 
> Matt
> -=- 
> Cheers,
> Steve
> 
> --
> µWeb: Embedded Web Framework - http://uweb.workware.net.au/
> WorkWare Systems Pty Ltd
> W: www.workware.net.au  P: +61 434 921 300
> E: ste...@workware.net.au   F: +61 7 3391 6002
> 
> 
> 
> 
> 
> 
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
> 
> 
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

--
µWeb: Embedded Web Framework - http://uweb.workware.net.au/
WorkWare Systems Pty Ltd
W: www.workware.net.au  P: +61 434 921 300
E: ste...@workware.net.au   F: +61 7 3391 6002





___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Matt Welland]

On Mon, Feb 13, 2012 at 1:43 PM, Steve Bennett wrote:

>
> On 14/02/2012, at 4:22 AM, Matt Welland wrote:
>
> I think it may be very useful if it was possible to call tcl scripts
> stored in the repo db (revision controlled files or wiki pages?) at
> pre/post commit and other interesting times. I know hooks were previously
> not accepted since making things consistent between Windows and Linux was
> difficult.  But that concern should be addressed if the hooks call tcl or
> th1 scripts instead of directly sending commands to the OS. It looks like
> jimtcl supplies os.fork, os.wait etc. but I didn't see a posix system, can
> jimtcl run commands on Unix?
>
>
> Yes, indeed!
>
> You want the 'exec' command -
> http://jim.tcl.tk/fossil/doc/trunk/Tcl_shipped.html#_exec
>
> You can try this out with the 'jimtcl' branch of fossil.
>

Hi Steve,

This sounds cool, so is the mechanism to call a jimtcl routine implemented
on various actions and if so then how do I, for example, call a tcl script
when sync is completed?

Thanks,

Matt
-=-

> Cheers,
> Steve
>
> --
> µWeb: Embedded Web Framework - http://uweb.workware.net.au/
> WorkWare Systems Pty Ltd
> W: www.workware.net.au  P: +61 434 921 300
> E: ste...@workware.net.au   F: +61 7 3391 6002
>
>
>
>
>
>
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>
>
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Steve Bennett]

On 14/02/2012, at 4:22 AM, Matt Welland wrote:

> I think it may be very useful if it was possible to call tcl scripts stored 
> in the repo db (revision controlled files or wiki pages?) at pre/post commit 
> and other interesting times. I know hooks were previously not accepted since 
> making things consistent between Windows and Linux was difficult.  But that 
> concern should be addressed if the hooks call tcl or th1 scripts instead of 
> directly sending commands to the OS. It looks like jimtcl supplies os.fork, 
> os.wait etc. but I didn't see a posix system, can jimtcl run commands on Unix?

Yes, indeed!

You want the 'exec' command - 
http://jim.tcl.tk/fossil/doc/trunk/Tcl_shipped.html#_exec

You can try this out with the 'jimtcl' branch of fossil.

Cheers,
Steve

--
µWeb: Embedded Web Framework - http://uweb.workware.net.au/
WorkWare Systems Pty Ltd
W: www.workware.net.au  P: +61 434 921 300
E: ste...@workware.net.au   F: +61 7 3391 6002





___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] comments in Fossil wiki and embedded documentation?

[Bill Burdick]

I haven't checked into performance, yet, so I'm not sure where, exactly,
the slowdown is.  I'm sure it can be made a lot faster.  This page uses
@pagedown, btw:
https://chiselapp.com/user/zot/repository/fossil-pagedown/doc/pagedown/README.wikiand
it load pretty quickly for me.


Bill


On Mon, Feb 13, 2012 at 10:24 AM, Leo Razoumov  wrote:

> On Sun, Feb 12, 2012 at 19:15, Bill Burdick 
> wrote:
> > May I recommend my markdown plugin?  It's
> > here: http://chiselapp.com/user/zot/repository/fossil-pagedown  It will
> let
> > you use markdown as your wiki language and it also supports XML comments.
>
> Bill,
> I cloned the pagedown repo and started web interface by means of
> "fossil ui pagedown.fossil" on a fast local machine (Ubuntu-10.04).
> Everything works and formatting looks great! But I noticed a two
> seconds delay when clicking "Home" button
> (http://localhost:8080/doc/pagedown/README.wiki). Clicking any other
> button like "Timeline" or "Admin" has no noticeable delay whatsoever.
> I tried in Firefox-10 and Chrome-16 and got about the same 2 secs
> delay. Is it because JS is slow?
>
> --Leo--
>
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

[fossil-users] With jimtcl available can we have hooks that trigger tcl scripts stored in the db?

[Matt Welland]

I think it may be very useful if it was possible to call tcl scripts stored
in the repo db (revision controlled files or wiki pages?) at pre/post
commit and other interesting times. I know hooks were previously not
accepted since making things consistent between Windows and Linux was
difficult.  But that concern should be addressed if the hooks call tcl or
th1 scripts instead of directly sending commands to the OS. It looks like
jimtcl supplies os.fork, os.wait etc. but I didn't see a posix system, can
jimtcl run commands on Unix?
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] comments in Fossil wiki and embedded documentation?

[Leo Razoumov]

On Sun, Feb 12, 2012 at 19:15, Bill Burdick  wrote:
> May I recommend my markdown plugin?  It's
> here: http://chiselapp.com/user/zot/repository/fossil-pagedown  It will let
> you use markdown as your wiki language and it also supports XML comments.

Bill,
I cloned the pagedown repo and started web interface by means of
"fossil ui pagedown.fossil" on a fast local machine (Ubuntu-10.04).
Everything works and formatting looks great! But I noticed a two
seconds delay when clicking "Home" button
(http://localhost:8080/doc/pagedown/README.wiki). Clicking any other
button like "Timeline" or "Admin" has no noticeable delay whatsoever.
I tried in Firefox-10 and Chrome-16 and got about the same 2 secs
delay. Is it because JS is slow?

--Leo--
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] comments in Fossil wiki and embedded documentation?

[Bill Burdick]

Yes, markdown (and the JavaScript "pagedown" implementation I use) allows
you to include HTML directly.


Bill


On Sun, Feb 12, 2012 at 7:31 PM, Leo Razoumov  wrote:

> On Sun, Feb 12, 2012 at 19:15, Bill Burdick 
> wrote:
> > May I recommend my markdown plugin?  It's
> > here: http://chiselapp.com/user/zot/repository/fossil-pagedown  It will
> let
> > you use markdown as your wiki language and it also supports XML comments.
>
> Bill,
> thanks you! I will give it a try. BTW, is it possible to include plain
> HTML in markdown? Occasionally one needs full power of the HTML.
>
> --Leo--
>
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users