[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The Perils of Pluggability
From: |
Jonathan S. Shapiro |
Subject: |
Re: The Perils of Pluggability |
Date: |
Mon, 10 Oct 2005 08:20:12 -0400 |
On Mon, 2005-10-10 at 11:06 +0200, Ludovic Courtès wrote:
> I remember your saying at LSM that Emacs-like extensible systems are
> "bad" in that they may have easily-exploitable vulnerabilities.
Actually, this is not quite what I said. Here is a better capture of my
real view:
Most designers of scripting systems fail to consider that they
are building powerful, general-purpose programming systems, and
that these programming systems will be abused. It is possible
to design good scripting systems, but it is difficult, and it
requires skills and training (or experience) that few programmers
have.
> 1. In the case of Emacs, I'm not aware of any malicious use of
> modelines, and I'm not aware of any other way to execute code in the
> user's back;
I am not aware of one either, but this isn't really relevant. I wasn't
arguing against Emacs. I was arguing against a style of scripting
engines. There are *hundreds* of other applications with engines
fundamentally similar to the one used in emacs that *have* been
exploited.
> 2. extensibility and flexibility have always been an important goal for
> GNU Project's programs, as a way to give users more freedom; as a
> user, I appreciate it.
More freedom must be balanced against more vulnerability.
> Extensibility is not a synonym of vulnerability.
Of COURSE it is! Running code without control where you don't know what
the code does isn't vulnerable? Who has been giving you these wonderful
drugs?
But it is also necessary. I do not propose that we give up
extensibility. I propose that we architect systems in which the
vulnerability that is inherent in extensibility is a manageable thing.
> Additionally,
> "security" should not serve as a buzzword in favor of non-extensible
> monolithic designs.
Yes. Good. Consider yourself buzzword compatible and ideologically pure.
This comment has absolutely nothing to do with what I said.
- Re: The Perils of Pluggability (was: capability authentication), (continued)
- Re: The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/11
- Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/11
- Re: The Perils of Pluggability (was: capability authentication), Jun Inoue, 2005/10/12
- Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/12
- Re: The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/12
- instance and instantiator, Neal H. Walfield, 2005/10/13
- Re: instance and instantiator, Jonathan S. Shapiro, 2005/10/13
- Re: instance and instantiator, Marcus Brinkmann, 2005/10/13
- Re: instance and instantiator, Jonathan S. Shapiro, 2005/10/13
Re: The Perils of Pluggability, Ludovic Courtès, 2005/10/10
Re: The Perils of Pluggability, Alfred M. Szmidt, 2005/10/10
Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/10
Re: The Perils of Pluggability, Matthieu Lemerre, 2005/10/10
Re: The Perils of Pluggability, Alfred M. Szmidt, 2005/10/11
Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/11
Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/10
Re: The Perils of Pluggability (was: capability authentication), Alfred M. Szmidt, 2005/10/10