[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: RES: Lua Browser Plugin
- From: David Given <dg@...>
- Date: Wed, 01 Aug 2007 14:33:23 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rafael - SosCpdTerra wrote:
[...]
> My intent with this post isn't to open or not the source, but how
> can I do that in a secure methodology (believe that can be handled). In this
> stage of development, I give absolutely no control to user. The plug-in is
> installed quietly and is ready to go. Lua code in the browser can do
> whatever Lua can do running directly from a shell. Sorry if I can point that
> first time.
Can the plugin download Lua code off the 'net and run it? Because if so, this
is a huge security risk --- it's not so much as a security hole as a huge
gaping abyss! And if it does so without asking the user first (every time),
then it probably also counts as a back door...
But to answer your actual question: if your code has security issues, keeping
the source secret won't help, because anyone interested in finding them will
find them and exploit them anyway. And if your code does not have security
issues, releasing the source won't hurt, because there are no security issues
to find. So on balance you might as well release it: that way you get wider
exposure, more people interested in it, and potentially patches.
- --
┌── dg@cowlark.com ─── http://www.cowlark.com ───────────────────
│
│ "There does not now, nor will there ever, exist a programming language in
│ which it is the least bit hard to write bad programs." --- Flon's Axiom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGsIuif9E0noFvlzgRAkbbAJ0aV/EutR4DwuK5hNUyhrc9ymBZDQCfVqdq
jN+TqgTbR/tDNeLAr259kn4=
=UbPI
-----END PGP SIGNATURE-----