On Wed, Jul 16, 2003 at 12:42:49PM +0200,  Marc A. Lehmann  wrote:

> > >What happens if in the future someone writes a gimp-java interface
> > >(like gimp-perl)?  Would there be any security issues there?
> > 
> >         No.
> "I do not believe people like you."
> Sorry, but how can you so bluntly claim this? These things happened
> before, and often times, so instead of a simple "No" there *should* be
> very good arguments of why it should be different...
> And yes, java byte code *is* getting executed without having to kick it
> off, at least, in netscape, ie, mozilla, opera, konquereor....

- you can turn it off
- it's inside a sandbox (no access to local files)
- to be able to execute some Java code out of a (virus-altered) GIMP
  image (Gimp Graphics Archive) takes:
  * a person running "java -jar picture.gga"
  * some "smart" program looking inside the image, recognizing the
    manifest etc (which makes the JAR "executable"), running this
    (probably requirng user interaction)
  * a Java machine

I think, the security argument against JAR is very far-fetched.
A JAR is basically a ZIP with a META-INF directory containing a
MANIFEST.MF file. That's it.

There is a lot of code around for creating / reading ZIP files - I'm a
bit worried about robustness though; if the directory at the end of the
ZIP is broken or missing, things get complicated.

But a hierarchical structure would be cool too. What about mapping big
parts of the file format to the file system? This way, a lot of
information can be stored in the hierarchy and it wouldn't be a big
difference whether to read a file from file system or from archive.

Bye, Tino.

             * LINUX - Where do you want to be tomorrow? *
Gimp-developer mailing list

Reply via email to