I say chuck it out since we are not even close to being correct in
this area. It gives a false sense of security. In fact, I wonder
what sort of audit MRI goes through to demonstrate that safe/taint is
working. As far as I can tell tainting is really tough to get right
and keep right.
The Drb mention below makes me think we need to come up with a
creative solution to replace it (using Java's security mechanism in
some way). I am hoping some enterprising community member who cares
about this will help find the true path...
-Tom
On 6/27/07, Charles Oliver Nutter <[EMAIL PROTECTED]> wrote:
SAFE and tainting go hand in hand as perhaps the sole security mechanism
in Ruby. When at various SAFE levels, you can't eval code, modify arrays
and other objects, open files and sockets, and so on. There's 5 safe
levels, increasingly more restrictive.
Except that SAFE and tainting don't work correctly in JRuby, probably
will never work correctly, add a bunch of overhead and security checks,
and are unlikely to actually be SAFE even if they were ever implemented
to the letter of the law.
I'd like to remove both SAFE and tainting.
Sure, they'd still be there...we're not going to alter APIs or anything.
But they won't do anything. And we won't have to check them in the
gazillion places we check them.
Thoughts on this? I know it's come up before, but with 1.0 out we can
start to do these kinds of changes. I'd like to get some buy-in from
other impls too...perhaps if they agree it's a good idea, we'd get less
hassle for changing it.
(I know Evan of Rubinius is already on board)
- Charlie
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
--
Blog: http://www.bloglines.com/blog/ThomasEEnebo
Email: [EMAIL PROTECTED] , [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
