Hi @ all,

what @ihm4u has created is really inspiring and I can tell it has
involved much thinking. It's great to see somebody developing cutting
edge solutions for TiddlyWiki (tidgraph, twexe)!

Regarding Mario's criticism:

I agree with ihm when he says that all binaries in the world are
potentially dangerous.

However, I can understand that Mario issues a warning because:

TW itself so far has been based on script files only. twexe is binary.
In this special case it is not a sufficient to say "look at the code,
it's online" because the binaries  presented in the demo wiki are
already compiled. However, I also understand it defeats the purpose of
your project to tell people to read your code first and the compile it
themselves to be on the save side.

Second, there is actually a binary file that is not auditable called
twexe.res – so even if I checked and compiled the code myself, I would
not know how this file behaves (maybe your IDE created this file or it
contains a thumbnail image?).

In any case, great project/idea, thanks for sharing, and sorry for the
criticism – it's just precaution.

-Felix








On 12/17/2015 10:45 PM, ih...@newsfromgod.com wrote:
> Hi PMario,
>
>>>
>>
>> I think your implementation could be similar to tiddly desktop, but it
>> should really stop to create unsigned, untrusted executables.
>>
>
> Microsoft themselves distributes untrusted executables, just download:
> and run
> https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
>
> And you will see that the dialog window pops up saying it is an untrusted
> executable downloaded from the internet.
>
> Unlike Microsoft, all the source code is freely and openly available
> at github so that
> anyone can see what it does, and change it if they want.
>
> Thirdly, it binds only to 127.0.0.1 which prevents any external
> attacks from the network.
>
> Fourthly, I am willing to add any other security features you think
> may be needed.
>
> It does produce a new executable to keep with the single file
> principle, but
> the new executable doesn't include new executable code, only zipped
> data appended
> to the end of the executable.
>
> You can compare the bytes of the two files and see that they differ
> only at the
> beggining of the appended zip section.
>
> If I wrote malicious code I would not make the source code available
> like it is, and
> would not make a public announcement like this. As a matter of fact I
> originally wrote it
> because I was thinking of a family member that has a hard time with
> computers, and
> I wanted something easy for them. I just made it available to the
> community because
> I thought it would be useful.
>
>
>>  How do you intend to support and update all the backup
>> exes? The next version will make all backups obsolete! .. IMO we have an
>> update problem here!
>>
>
> The exe upgrades itself like firefox and a lot of other software does.
> Yes,
> I need to add an option to turn it off if the user wants to, that will
> come when I do a TW5 plugin for it.
>
>>>    - Opens up the possibility to run external executables from your
>>> wiki
>>>    (to draw charts, etc.) - stay tuned!!
>>>
>>> hmmm, calling and activating other exes from possibly untrusted source.
>> really?
>>
>
> The executable to be called will be specified by the user
> *explicitly*, so that means the
> user knows the executable that is being called because the user is the
> one calling it.
>
> For that matter, the node.js server can also do malicious things under
> the covers if it wanted to,
> but the source code is available and anyone can see what it does.
>
> Registering a different extension doesn't make it more secure. If it
> had malicious code inside
> it would run anyways after the extension was registered.
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/BLU437-SMTP984152EACD8711BE196A3ECEE00%40phx.gbl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to