Re: The Perils of Pluggability

[Jonathan S. Shapiro]

On Mon, 2005-10-10 at 11:06 +0200, Ludovic Courtès wrote:
> I remember your saying at LSM that Emacs-like extensible systems are
> "bad" in that they may have easily-exploitable vulnerabilities.

Actually, this is not quite what I said. Here is a better capture of my
real view:

  Most designers of scripting systems fail to consider that they
  are building powerful, general-purpose programming systems, and
  that these programming systems will be abused. It is possible
  to design good scripting systems, but it is difficult, and it
  requires skills and training (or experience) that few programmers
  have.

> 1. In the case of Emacs, I'm not aware of any malicious use of
>    modelines, and I'm not aware of any other way to execute code in the
>    user's back;

I am not aware of one either, but this isn't really relevant. I wasn't
arguing against Emacs. I was arguing against a style of scripting
engines. There are *hundreds* of other applications with engines
fundamentally similar to the one used in emacs that *have* been
exploited.

> 2. extensibility and flexibility have always been an important goal for
>    GNU Project's programs, as a way to give users more freedom;  as a
>    user, I appreciate it.

More freedom must be balanced against more vulnerability.

> Extensibility is not a synonym of vulnerability.

Of COURSE it is! Running code without control where you don't know what
the code does isn't vulnerable? Who has been giving you these wonderful
drugs?

But it is also necessary. I do not propose that we give up
extensibility. I propose that we architect systems in which the
vulnerability that is inherent in extensibility is a manageable thing.

>   Additionally,
> "security" should not serve as a buzzword in favor of non-extensible
> monolithic designs.

Yes. Good. Consider yourself buzzword compatible and ideologically pure.
This comment has absolutely nothing to do with what I said.