On Wed, Jul 16, 2003 at 12:42:49PM +0200, Marc A. Lehmann wrote:
> > >What happens if in the future someone writes a gimp-java interface
> > >(like gimp-perl)? Would there be any security issues there?
> > No.
> "I do not believe people like you."
> Sorry, but how can you so bluntly claim this? These things happened
> before, and often times, so instead of a simple "No" there *should* be
> very good arguments of why it should be different...
> And yes, java byte code *is* getting executed without having to kick it
> off, at least, in netscape, ie, mozilla, opera, konquereor....
- you can turn it off
- it's inside a sandbox (no access to local files)
- to be able to execute some Java code out of a (virus-altered) GIMP
image (Gimp Graphics Archive) takes:
* a person running "java -jar picture.gga"
* some "smart" program looking inside the image, recognizing the
manifest etc (which makes the JAR "executable"), running this
(probably requirng user interaction)
* a Java machine
I think, the security argument against JAR is very far-fetched.
A JAR is basically a ZIP with a META-INF directory containing a
MANIFEST.MF file. That's it.
There is a lot of code around for creating / reading ZIP files - I'm a
bit worried about robustness though; if the directory at the end of the
ZIP is broken or missing, things get complicated.
But a hierarchical structure would be cool too. What about mapping big
parts of the file format to the file system? This way, a lot of
information can be stored in the hierarchy and it wouldn't be a big
difference whether to read a file from file system or from archive.
* LINUX - Where do you want to be tomorrow? *
Gimp-developer mailing list