On 11/14/06, Simetrical Simetrical+wikitech@gmail.com wrote:
That said, there's no reason to be paranoid. Yes, there will always be vulnerabilities, but they'll be doubly limited by the approval process *and* the sandbox. We aren't distributing arbitrary machine code, we're distributing Java, which as far as I know can't do anything like take over your computer or wipe your hard drive. Running arbitrary Java is not to my knowledge a real security risk, at least no more than arbitrary JavaScript (which can spy on you to an extent), and this Java won't even be arbitrary: it will be vetted first, however imperfectly.
In the best case arbitrary java can ask the user to let it out of the sandbox and most users will, in the worst it can just get out on its own (JVM doesn't have a great track record). Once running in trusted mode java can do anything any other binary on your system can do.
Even ignoring that sort of vulnerability, if we allow people to upload java binaries the binaries could decide to display penises every second tuesday. Just limiting it to sysops won't fix it because sysops will be (mostly) adding java which was given to them by (untrusted) third parties. We can't demand the sysops check the java, because no human could be expected to detect such problems.
So we're left with demanding that people submit java in source form (which I suppose is good for other reasons), and then we'll expect qualified admins to audit, compile, then install the code.. yuck.
Better to just write a sandboxed ecmascript or python interpreter which runs in sandboxed Java... and then make an extension that lets you directly input the script code, which will then be handed out to clients. This then reduces the risk of it displaying penises on second tuesdays to the same risk as template code displaying penises on second tuesdays.
It's actually not the far out of an idea... there is already a python implementation in java (jython, http://www.jython.org/Project/index.html) and several of the python plotting libraries will work in jython (http://www.eckhartarnold.de/apppages/pyplotter.html). I imagine that interactive graphs are the largest driver for java apples beyond audio/video playback.
A solution like this would give us real wikieditable software which we could open to the world, and not confine to sysop priests with java compilers and the patience to work offline.
Unfortunately jython needs non-sandboxed java because it mucks about with the VM for the ability to call arbritary java and native code functions. :-/
If anyone is aware of any dynamic languages which will run in sandboxed java and which have decent graphing libraries, I'd love to hear about it. :)