[Sugar-devel] programming on thin ice

Luke Faraone luke at faraone.cc
Sat Jan 31 21:17:54 EST 2009


On Thu, Jan 29, 2009 at 10:01 PM, <forster at ozonline.com.au> wrote:

> > What I am concerned about is making the system vulnerable by letting
> > arbitrary functions to execute within TA. I can imagine that Rainbow
> > would be of some protection here, but are there other things I can do
> > to restrict, say to the math module, the functions available.
> >
> Would TA make the system more vulnerable that it already is with Pippy,
> Develop and Terminal?
>
> If not then I don't see a problem. I would like learners have access to
> more functions than in the math module.
>
> The idea of empowering learners has risks, that's why the XO is easily
> re-flashed. The only thing that worries me is a virus spreading through the
> mesh network, but I suspect that whatver the risk is, its already there


The model is different, though, with TA. Develop and Terminal are
single-user programs, you can't "join" and automagically get tainted code.

An idea for "securing" TA as Walter describes it would be to have the python
code be parsed by TA itself and not the interpreter, filtering out
_very_carefully_ unwanted imports, open()s, evals(), compiles(), and
execs().

-- 
Luke Faraone
http://luke.faraone.cc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090131/df151124/attachment.htm 


More information about the Sugar-devel mailing list