Hi PMario,
I think your implementation could be similar to tiddly desktop, but it
should really stop to create unsigned, untrusted executables.
Microsoft themselves distributes untrusted executables, just download:
and run https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
And you will see that the dialog window pops up saying it is an untrusted
executable downloaded from the internet.
Unlike Microsoft, all the source code is freely and openly available
at github so that
anyone can see what it does, and change it if they want.
Thirdly, it binds only to 127.0.0.1 which prevents any external
attacks from the network.
Fourthly, I am willing to add any other security features you think
may be needed.
It does produce a new executable to keep with the single file principle, but
the new executable doesn't include new executable code, only zipped
data appended
to the end of the executable.
You can compare the bytes of the two files and see that they differ
only at the
beggining of the appended zip section.
If I wrote malicious code I would not make the source code available
like it is, and
would not make a public announcement like this. As a matter of fact I
originally wrote it
because I was thinking of a family member that has a hard time with
computers, and
I wanted something easy for them. I just made it available to the
community because
I thought it would be useful.
How do you intend to support and update all the backup
exes? The next version will make all backups obsolete! .. IMO we have an
update problem here!
The exe upgrades itself like firefox and a lot of other software does. Yes,
I need to add an option to turn it off if the user wants to, that will
come when I do a TW5 plugin for it.
- Opens up the possibility to run external executables from your wiki
(to draw charts, etc.) - stay tuned!!
hmmm, calling and activating other exes from possibly untrusted source.
really?
The executable to be called will be specified by the user
*explicitly*, so that means the
user knows the executable that is being called because the user is the
one calling it.
For that matter, the node.js server can also do malicious things under
the covers if it wanted to,
but the source code is available and anyone can see what it does.
Registering a different extension doesn't make it more secure. If it
had malicious code inside
it would run anyways after the extension was registered.
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/20151217164512.Horde.mgSWy1D3WvnBR1YoA1PaolZ%40www.newsfromgod.com.
For more options, visit https://groups.google.com/d/optout.
