On Tue, Jun 23, 2009 at 6:07 PM, Stephen Bannasch < stephen.banna...@deanbrook.org> wrote:
> At 2:29 PM -0700 6/15/09, Assaf Arkin wrote: > >> And I agree about the "convenience install pack" of JRuby >> having no notion of security practices. It's the equivalent of getting a >> Linux box and running IE8 as your default browser. >> > > That's a major misunderstanding of the function and purpose for installing > jruby into userspace. The term userspace refers to anything that's not kernel, kernel module or device driver[1], so we're all talking about installing JRuby to execute in userspace. The option is whether to install executables in a place that your account is privileged to modify without your consent [2]. Allowing executables to change without explicit user consent is the default setting in Windows XP, and a factor in many of its security vulnerabilities [3]. Of course not everyone appreciate the added annoyance, when Windows Vista introduced a revised security architecture many people complained [4]. Like most people I don't like inconvenience if I don't understand the security implications. On Linux, OS X and other UN*X variants, you simply place your executables in any of the directories designated for holding binaries [5] (specific paths change between UN*X variants but broadly they all work the same). When it comes to convenience vs security, I err on the side of security, I also like to allow acts of convenience. I'm not recommending that Buildr fails when invoked or loading code from a vulnerable path (e.g. SSH will do that). I am recommending that the default path we present to people always favors their security over their convenience, so they can choose differently, but if they place their trust in us, we return that trust. Assaf [1] http://en.wikipedia.org/wiki/User_space [2] http://en.wikipedia.org/wiki/Sudo [3] http://en.wikipedia.org/wiki/Criticism_of_Windows_XP [4] http://en.wikipedia.org/wiki/User_Account_Control [5] http://en.wikipedia.org/wiki/Sbin > > > I have 4 different jruby instances installed in different directories in > userspace on my development system. I often create new ones just to test > installation of a set of dependencies for a specific application. I have one > which is the most recent stable jruby release, another which is trunk. > > Installing jruby into a userspace directory makes it much easier to delete > when I don't need it anymore. It also makes it easier to use right along > side MRI ruby. I am often running a rails app in jruby and debugging it in > MRI. > > I also have rubinius, macruby, and ruby19 also installed in separate > userspace directories and I test and run benchmarks on all these systems. > > None of these installations are installed in /usr/bin or /usr/local/bin -- > I save those for the 'system' ruby -- in my case it is MRI. >
