On 4/23/06, Ian Bicking <[EMAIL PROTECTED]> wrote: > > ... except for being the client at the lowest level, it > > looks a lot like an XML-RPC server, interpreting known requests > > XML-RPC is just specially-formatted HTTP requests, so it wouldn't effect > any port security.
I wonder if I am succeeding in making myself clear. Let me try to boil it down. Imagine that I am just a kid whose parents have bought me an AOL login or something, so (in general) I can't service HTTP requests. But I *can* make them. So I can run client code that requests a test and then requests validation of my response to that test, over HTTP. In a nutshell that is my proposal. > > >> If there were student-contributed doctests this > >> seems like a potential concern. > > > > Yes, this is the problem with my approach. I don't handle that, and > > that is why a sandbox solution is still a good idea. > > If everything is purely run on the client side, it's probably not *that* > big of a deal, if you only accept code from 'trusted' students, i.e., > students actually in the class, or doctests vetted by some trusted group > (e.g., teachers moderating a wiki). Then the students can only mess up > other people's computers to same degree they can mess up their > computers, which if you are in a lab isn't a big deal (and you probably > need a restoration process for other reasons anyway). "It's not *that* big a deal" does seem to be the answer to the sandbox question in education. If we aren't exchanging money or signing contracts, the occasional malfeasance might not be that consequential. But if we are running everything client side we need trusted TESTS for sure, because the evil cousin could as easily hack the test as the target code. The school serving as instrument for infecting the citizen's computer by evil doctests would not go over very well in most jurisdictions. I do think such a thing potentially has great value, but it might be very tricky to run such code client side, at least prior to some of the major efforts we have started to discuss here. A specialized client running an invisible test delivered from a trusted server seems to me to be a useful tool, that is very safe and rather easy to deploy is straughtforward. It could be stitched together quickly, has practically zero security issues, and allows tests to be performed and validated on any computer which can make outbound web requests. I think that's valuable. mt _______________________________________________ Edu-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/edu-sig
