Hi PMario,
Quoting PMario <pmari...@gmail.com>:
Hi,
On Thursday, December 17, 2015 at 10:45:21 PM UTC+1,
ih...@newsfromgod.com
wrote:
Microsoft themselves distributes untrusted executables, just download:
and run
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
Yes, I know and that's a shame.
Yes, and imo that's a problem, because our users will be trained to
ignore
this dialog. I'm sure many windows users don't read warning dialogs at
all
and just click ok, which opens the door for yet a new additional browser
toolbar ;)
So you agree that Microsoft distributes "untrusted" executables, but then
why do you make such a problem about twexe? You would have to go after
Microsoft and
all the millions of open source developers out there that have "untrusted"
executables.
(including Jeremy with TiddlyDesktop)
Unlike Microsoft, all the source code is freely and openly available
at github so that
anyone can see what it does, and change it if they want.
That's good and you should add a license file and a readme to your repo.
I didn't say, that your code is not safe. I have concerns about the
mechanism you choose to spread the app.
I can put links to download the file as a zip file, just like
TiddlyDesktop does. This does not increase security, but it will
help people that are worried about dialog boxes.
I will add the MIT license to the repo.
I think the backup files should be plain text files. eg: empty-x-y-z.html
or
empty-x-y-z.html.zip if you like to compress them.
I also think, that backups should be stored in a sub folder. Plain text
files can do no harm at the moment and it's very likely, that they don't
harm in the future 20+ years.
As I mentioned in the thread, you can choose your backup directory and
you can have twexe store the html files directly.
TiddlyWiki uses plain html files, because there are a lot of advantages.
- html is plain text and human readable, with every simple text editor
- plain text will be easy readable for the next 20++ years
- plain text is agnostic to operating systems.
- HTML works on any platform that has a browser.
- it's easy to send text files per mail. They are not blocked by
corporate
firewalls
- it's easy to verify if 2 files contain the exact same content.
- So verifying if a local empty.html is the same as github empty.html
is
easy
- comparisons are human readable.
- ...
All of the above is _not_ true for executables.
I am not writing a replacement for tiddlywiki, I think tiddlywiki is great
as it
is. If you don't like twexe, don't use it, but don't prevent others from
using
it if they want to.
Yes. So the executables are duplicated all over the places and for normal
users, it's impossible to check, if only the content is modified or the
.exe was modified too.
They are not copied all over the place. It is very structured and
organized:
1. The user can specify the backup directory where they want executables
backups to go
2. The temporary files are all stored under one directory in the operating
sytem temp directory
That's it.
Let me ask 3 very simple questions:
- How can Tobias check, if I didn't mess with the executable, and it is
save to use it.
- How can Tobias be sure, that myContent is a child of twexe.exe from
ihm4u and not from the "man in the middle"
- How can our users do the same?
This is not a problem with twexe or tiddlywiki. Any download from github or
any other web
source has the same problem.I can fork TiddlyDesktop and the same problems
you talk about will show up.
For that matter, the node.js server can also do malicious things under
the covers if it wanted to,
but the source code is available and anyone can see what it does.
As I see it, nwjs it is signed
<https://github.com/nwjs/nw.js/issues/3454#issuecomment-147933335>. ..
Just to make things clear to you, so that you can see TiddlyDesktop NW.EXE
is NOT SIGNED:
1. Download sigcheck from
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
- This is a Microsoft Signature check tool, which people knowledgeable
about
"security" should know about.
2. Download TiddlyDesktop version 0.8
3. Run sigcheck against the nw.exe INSIDE TiddlyDesktop
4. Just to save you the time here is the output:
Sigcheck v2.30 - File version and signature viewer
Copyright (C) 2004-2015 Mark Russinovich
Sysinternals - www.sysinternals.com[1]
Z:\tmp\tiddlydesktop-win32-v0.0.8\nw.exe:
Verified: Unsigned
Link date: 1:30 AM 7/29/2015
Publisher: n/a
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: 32-bit
Microsoft Signature verification tool says TiddlyDesktop NW.EXE is NOT
SIGNED. If you have
such a problem with unsigned executables you should ask Jeremy to stop
distributing TiddlyDesktop
also.
By the way, let me know if you are willing to buy a certificate for twexe
and
pay for the fees and the possible periodic renewal charges. I will be happy
to
sign twexe to make you happy. The name of two vendors are Verisign and
Thawte
if you want to look into it. I am not sure, but I think the certificates
need to
be renewed periodically. You should buy a certificate for TiddlyDesktop
also.
If you continue to have security concerns about twexe, just point to one
line in the
source code that does a malicious thing, and I will be happy to erase or
modify
anything you want.
All the other things that you mentioned are concerns with any software
downloaded from internet,
including TiddlyDesktop, and they have nothing to do with twexe
specifically; as Tobias pointed out.
Thanks
Links:
------
[1] http://www.sysinternals.com
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/20151218092016.Horde.He95BEFBynHIzK5RTLqiYk1%40www.newsfromgod.com.
For more options, visit https://groups.google.com/d/optout.
