lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


>Can the plugin download Lua code off the 'net and run it? Because if so,
>this
>is a huge security risk --- it's not so much as a security hole as a huge
>gaping abyss! And if it does so without asking the user first (every time),
>then it probably also counts as a back door...

	Exactly my point. Yes, that can be done so far, and I'm not
controlling that right now. I really do not do that thinking in a back door,
but... ;) like father, like sun... I think too in the follow: Who will
distribute this plug-in?


-----Mensagem original-----
De: lua-bounces@bazar2.conectiva.com.br
[mailto:lua-bounces@bazar2.conectiva.com.br] Em nome de David Given
Enviada em: quarta-feira, 1 de agosto de 2007 10:33
Para: Lua list
Assunto: Re: RES: Lua Browser Plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rafael - SosCpdTerra wrote:
[...]
> 	My intent with this post isn't to open or not the source, but how
> can I do that in a secure methodology (believe that can be handled). In
this
> stage of development, I give absolutely no control to user. The plug-in is
> installed quietly and is ready to go. Lua code in the browser can do
> whatever Lua can do running directly from a shell. Sorry if I can point
that
> first time.

Can the plugin download Lua code off the 'net and run it? Because if so,
this
is a huge security risk --- it's not so much as a security hole as a huge
gaping abyss! And if it does so without asking the user first (every time),
then it probably also counts as a back door...

But to answer your actual question: if your code has security issues,
keeping
the source secret won't help, because anyone interested in finding them will
find them and exploit them anyway. And if your code does not have security
issues, releasing the source won't hurt, because there are no security
issues
to find. So on balance you might as well release it: that way you get wider
exposure, more people interested in it, and potentially patches.

- --
┌── dg@cowlark.com ─── http://www.cowlark.com ─────
──────────────
│
│ "There does not now, nor will there ever, exist a programming language in
│ which it is the least bit hard to write bad programs." --- Flon's Axiom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGsIuif9E0noFvlzgRAkbbAJ0aV/EutR4DwuK5hNUyhrc9ymBZDQCfVqdq
jN+TqgTbR/tDNeLAr259kn4=
=UbPI
-----END PGP SIGNATURE-----