Thomas E Enebo wrote:
>
> I say chuck it out since we are not even close to being correct in
> this area. It gives a false sense of security. In fact, I wonder
> what sort of audit MRI goes through to demonstrate that safe/taint is
> working. As far as I can tell tainting is really tough to get right
> and keep right.
>
> The Drb mention below makes me think we need to come up with a
> creative solution to replace it (using Java's security mechanism in
> some way). I am hoping some enterprising community member who cares
> about this will help find the true path...
>
> -Tom
>
> On 6/27/07, Charles Oliver Nutter <[EMAIL PROTECTED]> wrote:
>> SAFE and tainting go hand in hand as perhaps the sole security mechanism
>> in Ruby. When at various SAFE levels, you can't eval code, modify arrays
>> and other objects, open files and sockets, and so on. There's 5 safe
>> levels, increasingly more restrictive.
>>
>> Except that SAFE and tainting don't work correctly in JRuby, probably
>> will never work correctly, add a bunch of overhead and security checks,
>> and are unlikely to actually be SAFE even if they were ever implemented
>> to the letter of the law.
>>
>> I'd like to remove both SAFE and tainting.
>>
>> Sure, they'd still be there...we're not going to alter APIs or anything.
>> But they won't do anything. And we won't have to check them in the
>> gazillion places we check them.
>>
>> Thoughts on this? I know it's come up before, but with 1.0 out we can
>> start to do these kinds of changes. I'd like to get some buy-in from
>> other impls too...perhaps if they agree it's a good idea, we'd get less
>> hassle for changing it.
>>
>> (I know Evan of Rubinius is already on board)
>>
>> - Charlie
>
>
I dont know to much about the Java Security , so to make sure is secure we
would have to wrap the Java security in a Ruby Class? that would a very
quick way of doing it.
Or would it be better to create a brand new Jruby Security library that is
built from the ground up?
--
View this message in context:
http://www.nabble.com/Ditching-SAFE-and-tainting-tf3989911.html#a11348789
Sent from the JRuby - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
