phatch-dev team mailing list archive

Thread
Date

Re: Phatch for Geeks

To: Robin Mills <robin@xxxxxxxxxxxxx>
From: Erich Heine <sophacles@xxxxxxxxx>
Date: Wed, 17 Jun 2009 12:56:48 -0500
Cc: phatch-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <E0D914EA-4883-4FDB-8F03-32296D8487A7@clanmills.com>

I concur.

On Wed, Jun 17, 2009 at 10:43 AM, Robin Mills <robin@xxxxxxxxxxxxx> wrote:

> Erich
> That's very interesting.  I don't know anything about keyczar - however it
> sounds like the right kind of thing.
>
> Of course, we're jumping ahead (although now's the time to think for the
> future).  If we arrive at a time when people are publishing Phatch actions
> (or actionlists), I think we'll have to consider something like this.
>
> Until then, I think what Stani's added here is really good.
>
> Robin
> http://www.clanmills.com
>
>
>
>
>
> On Jun 17, 2009, at 7:47 AM, Erich Heine wrote:
>
> Robin,
> Thanks for expanding, your point makes much more sense now (and seems much
> more reasonable :P ). There are some responses below (after the quote):
>
> On Wed, Jun 17, 2009 at 9:10 AM, Robin Mills <robin@xxxxxxxxxxxxx> wrote:
>
>>
>> However it might be nice if Python was able to refuse to run scripts which
>> don't have a valid digital certificate - and that would make "alien" scripts
>> less dangerous.
>>
>> So it all adds up to "The issue is with Python, not Phatch".
>>
>
> We could put something in to check scripts against a "verified good" phatch
> "app store". Its not that hard to do an hmac thats digitally signed with the
> phatchdev private key. This is close to trivial to write, particularly if we
> use a nice framework like keyczar from google.  Of course then we can only
> verify official action lists -- which is a game we may not want to play.
>
> As for where the issue lies id put equal parts of it in phatch, python, and
> the current computing model.
>
> Phatch -- we want to run arbitrary external scripts and programs which is
> isomorphic to running untrusted code. This desire introduces the issue to
> begin with.
>
> Python -- no buitin code signing, no restricted shell execution
> environment.
>
> Computing model: too much power to each process/program, no good way of
> reliably restricting things, too much interdependence resulting in all or
> nothing permissions models in the real world.
>
> Regards,
> Erich
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~phatch-dev
> Post to     : phatch-dev@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~phatch-dev
> More help   : https://help.launchpad.net/ListHelp
>
>

References

Phatch for Geeks
From: Stani, 2009-06-17
Re: Phatch for Geeks
From: robin, 2009-06-17
Re: Phatch for Geeks
From: Robin Mills, 2009-06-17
Re: Phatch for Geeks
From: Erich Heine, 2009-06-17
Re: Phatch for Geeks
From: Robin Mills, 2009-06-17