If I understand correctly when we require a module from the planet, it gets downloaded to racket home directory, compiled and required. Racket's require is not just about getting definitions, it also evaluates code inside required module.
So in theory a malicious person can make a planet package that provide something useful and also behind the scenes evaluates something like: (system "sudo rm -rf /") I prefer to think that there are no such people using racket, but with it's (racket's) growing popularity this can become the case. Recent events with planet made me more cautious. I wonder if there is a way to create something like `safe-require' using racket sandboxes, that will allow to require modules in context where they can not perform any `unsafe' IO, access network, filesystem, shell etc? -- Regards, Nikita B. Zuev _________________________________________________ For list-related administrative tasks: http://lists.racket-lang.org/listinfo/users
