This sounds like a great idea. One of the qualities that makes it great
is that I believe "the community" could tackle this as a generally
useful open-source component, without me doing most of the work. ;)
I agree that Ur/Web is unusually well positioned to drive such a service
securely. A little-known feature is language-enforced resource limits,
configured with the 'limit' .urp directive (see the manual for
details). I believe they will be sufficient for a demo environment like
this, with no other resource enforcement required, beyond possibly
limiting how many demo apps can be running at once. (It becomes
necessary to use SQLite to take full advantage of resource limits, as I
could not find a lightweight way to limit database size for PostgreSQL
or MySQL.)
Sergey, anyone else out there: might I be able to interest you in
implementing and/or hosting such a service? I would be very happy to
link to it prominently from the Ur project site!
On 07/26/2015 10:26 AM, Sergey Mironov wrote:
Also, I would
suggest to develop a live-demo component allowing users to design,
build and run the applications online! Let me explain: one of Ur/Web's
killer features is IMHO an ability to write small web applications in
a single file. One can stress the attention on this feature by placing
the online development environment to the site. Luckily, such a
component should be very simple in the Ur/Web case (unlike any other
language where stand-alone security checkers / DB integration code are
required).
Here is the specification draft:
1. The try-it-yourself page consists of an big textbox and the 'Run' button
2. Run button triggers the build process on the server side, which in turn:
2.1 Creates temporary folder $T, copies the context of the box there
2.2 Generates basic *urp file (adds safe libraries, adds sqlite DB,
allows safe urls and so on)
2.3 Runs urweb compiler to build the *exe
2.4 Runs the *exe in a safe environment (one may think about cgroups
or even VirtualBox environment here)
3. If everything is OK, user sees the link to their application
running, also they see 'Download source tarball' button which
downloads the contents of $T
4. There should be a resource monitor to kill the applications after
certain amount of live time or by using different policy, like free
disk space.
What do you think?
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
