Charles Oliver Nutter-2 wrote:
>
> dertown wrote:
>> I can understand the Idea and reasoning but i am wondering if you would
>> implement something else to
>> preform safty checks or leave that to indivdual users?
>
> The idea is that Ruby's professed safety checks are so unlikely to
> actually be safe that they're not even worth implementing. But we'd like
> some safety mechanism, yes?
>
> I would propose that Ruby's SAFE levels be redefined in JRuby to
> represent something equivalent in the JVM, using JVM security
> mechanisms. So they won't be identical, but they'll provide a similar
> mechanism under JRuby to prevent certain types of operations.
>
> Thoughts?
>
> - Charlie
>
> ---------------------------------------------------------------------
>
>
If Safe and Taint does not work then , yes, it should be replaced.
Especially in the case of anyone useng DRb. To just drop those two safety
checks on the floor opens up a huge attack vector. I would like to see a
new and better security system implmented to replace Safe/taint.
I know we use DRb alot so security is a huge concern for us
I dont know what to replace it with right now. The quick answer is to use
the native Java security with in Jruby. That solution opens up issues for
Ruby compatability though.
Ideally i think a new native Ruby Security system will be needed. I also
believe this will allow Ruby as a whole to mature and hopefully get wider
acceptance as a something more then just a scripting language.
Derek
--
View this message in context:
http://www.nabble.com/Ditching-SAFE-and-tainting-tf3989911.html#a11332635
Sent from the JRuby - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
