[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: RES: RES: Lua Browser Plugin
- From: "Rafael - SosCpdTerra" <soscpd@...>
- Date: Wed, 1 Aug 2007 09:40:07 -0300
>Can the plugin download Lua code off the 'net and run it? Because if so,
>is a huge security risk --- it's not so much as a security hole as a huge
>gaping abyss! And if it does so without asking the user first (every time),
>then it probably also counts as a back door...
Exactly my point. Yes, that can be done so far, and I'm not
controlling that right now. I really do not do that thinking in a back door,
but... ;) like father, like sun... I think too in the follow: Who will
distribute this plug-in?
[mailto:firstname.lastname@example.org] Em nome de David Given
Enviada em: quarta-feira, 1 de agosto de 2007 10:33
Para: Lua list
Assunto: Re: RES: Lua Browser Plugin
-----BEGIN PGP SIGNED MESSAGE-----
Rafael - SosCpdTerra wrote:
> My intent with this post isn't to open or not the source, but how
> can I do that in a secure methodology (believe that can be handled). In
> stage of development, I give absolutely no control to user. The plug-in is
> installed quietly and is ready to go. Lua code in the browser can do
> whatever Lua can do running directly from a shell. Sorry if I can point
> first time.
Can the plugin download Lua code off the 'net and run it? Because if so,
is a huge security risk --- it's not so much as a security hole as a huge
gaping abyss! And if it does so without asking the user first (every time),
then it probably also counts as a back door...
But to answer your actual question: if your code has security issues,
the source secret won't help, because anyone interested in finding them will
find them and exploit them anyway. And if your code does not have security
issues, releasing the source won't hurt, because there are no security
to find. So on balance you might as well release it: that way you get wider
exposure, more people interested in it, and potentially patches.
┌── ｄｇ＠ｃｏｗｌａｒｋ．ｃｏｍ ─── http://www.cowlark.com ─────
│ "There does not now, nor will there ever, exist a programming language in
│ which it is the least bit hard to write bad programs." --- Flon's Axiom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----