Re: [Gnash-dev] Gnash whitepaper

[David Rorex]

"Gnash supports the majority of Flash opcodes up to Small Web Format (SWF) version 7,"

Minor nitpick, according to Adobe, SWF does not stand for anything, informally however, I've never heard of it referred to as "Small Web Format" (I have heard it referred to as "ShockWave Flash", but that's a somewhat confusing definition these days).

See Macromedia's (now Adobe's) official position on it:
http://weblogs.macromedia.com/jd/archives/2004/08/shockwave_vs_fl.cfm

On memory tests: It may be useful to provide a comparison of the official standalone flash player running the exact same SWFs. (Perhaps both version 7 and version 9, so we can compare to how the official player has evolved, or possibly gotten worse)

As far as security: 
"Many Flash implementations contain potential security exploits that could compromise a viewer's system." This is a bit vague, pretty much all software contains potential security exploits, even open source software. The more important metrics are the severity of the exploits, and how quickly they are addressed.

"This can be used, for example, to compromise a network device inside a company firewall via a Flash movie running on an employee's browser." 
Unless you are talking about the occasional security-related bug in the official player, this is simply not true. Flash has very strict sandboxes, eg a flash movie running on an employee's browser, will not be able to open any incoming ports, cannot read/write arbitrary files to the local computer, and cannot make any connections besides back to the server where the flash movie was loaded from. Flash has long left out features, in the name of security. There are many things that can be done in Java or ActiveX, which are not possible in Flash, due to the possibility of them being abused.

If you really want to know the nitty gritty details, the flash security whitepaper is a good resource:
http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf
but it can be a bit dry reading (and is fairly long).

Overall, it's well written, and nicely presented, I'm impressed.

Thanks,
David R

On 8/15/07, Melissa Goldin <address@hidden> wrote:

Hi all,

I've attached the first draft of the Gnash technical whitepaper.  It
could use some technical review to make sure I've got the details right.

I'm also looking for more information in the ActionScript and
Security sections.  ActionScript is the subject I know the least
about, and I'm pretty sure the memory footprint info is out of date.



Thanks,
Melissa
_______________________________________________
Gnash-dev mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/gnash-dev