Hi, On Thursday, December 17, 2015 at 10:45:21 PM UTC+1, [email protected] wrote: > > Microsoft themselves distributes untrusted executables, just download: > and run > https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
Yes, I know and that's a shame. > And you will see that the dialog window pops up saying it is an untrusted > executable downloaded from the internet. > Yes, and imo that's a problem, because our users will be trained to ignore this dialog. I'm sure many windows users don't read warning dialogs at all and just click ok, which opens the door for yet a new additional browser toolbar ;) Unlike Microsoft, all the source code is freely and openly available > at github so that > anyone can see what it does, and change it if they want. > That's good and you should add a license file and a readme to your repo. I didn't say, that your code is not safe. I have concerns about the mechanism you choose to spread the app. > Thirdly, it binds only to 127.0.0.1 which prevents any external > attacks from the network. > > Fourthly, I am willing to add any other security features you think > may be needed. > I think the backup files should be plain text files. eg: empty-x-y-z.html or empty-x-y-z.html.zip if you like to compress them. I also think, that backups should be stored in a sub folder. Plain text files can do no harm at the moment and it's very likely, that they don't harm in the future 20+ years. TiddlyWiki uses plain html files, because there are a lot of advantages. - html is plain text and human readable, with every simple text editor - plain text will be easy readable for the next 20++ years - plain text is agnostic to operating systems. - HTML works on any platform that has a browser. - it's easy to send text files per mail. They are not blocked by corporate firewalls - it's easy to verify if 2 files contain the exact same content. - So verifying if a local empty.html is the same as github empty.html is easy - comparisons are human readable. - ... All of the above is _not_ true for executables. > It does produce a new executable to keep with the single file principle, > but > the new executable doesn't include new executable code, only zipped > data appended > to the end of the executable. > Yes. So the executables are duplicated all over the places and for normal users, it's impossible to check, if only the content is modified or the .exe was modified too. Tobias mentioned, that executables may be safe, if I trust the source. IMO they are not. - Let's say I trust your github repo and I can download the program from there. Let's name it twexe.exe - Let's say I like the program and your future license allows redistributing, I trust myself so I can download twexe.exe from my forked repo too. - Let's say the "man in the middle" also likes the program. He modifies it and distributes it as. twexe.exe - I download and rename my local version to myContent.exe and add some tiddlers. - I send myContent to tobias per mail. I think all of this behaviour is fine, and imo totally real world behaviour. So it should be fine. right? Let me ask 3 very simple questions: - How can Tobias check, if I didn't mess with the executable, and it is save to use it. - How can Tobias be sure, that myContent is a child of twexe.exe from ihm4u and not from the "man in the middle" - How can our users do the same? You can compare the bytes of the two files and see that they differ > only at the > beggining of the appended zip section. > Yes I can, but does your family? > If I wrote malicious code I would not make the source code available > like it is, and > would not make a public announcement like this. I don't know. ... You joined github in October <https://github.com/ihm4u>. There is no real name and no e-mail address. ... I don't know you. > As a matter of fact I > originally wrote it > because I was thinking of a family member that has a hard time with > computers, and > I wanted something easy for them. I love the idea, to make it easy for users to work with tiddlywiki. I actually thought quite some time about it, if I should raise my voice. There have been several hours between creating the issue on github and my post there in the group. I choose to start the discussion, because I have concerns about the approach that was chosen. I'm fine with something that is similar to tiddly desktop and I still think your program has potential, but I think, there should be only one app that can work with standard or zipped html text files. > I just made it available to the > community because > I thought it would be useful. > As I saw your announcement I thought: "Great, that's an interesting approach". As I saw the video and thought about it:.. "uuups, I'm concerned" > For that matter, the node.js server can also do malicious things under > the covers if it wanted to, > but the source code is available and anyone can see what it does. > As I see it, nwjs it is signed <https://github.com/nwjs/nw.js/issues/3454#issuecomment-147933335>. .. But we still need to find a convenient way to verify, if tw plugins are safe to use. There is no "chain of trust" that we can use to verify the stuff at the moment. > Registering a different extension doesn't make it more secure. If it > had malicious code inside > it would run anyways after the extension was registered. > That's right, but there is only one executable, that needs to be monitored. regards mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/1ce991f8-297d-4726-bdb7-56d81723932f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
