On 11/14/06, Tim Starling <tstarling(a)wikimedia.org> wrote: That makes perfect sense -- most people don't like surprises on webpages. -- Peace & Love, Erik Member, Wikimedia Foundation Board of Trustees DISCLAIMER: Unless otherwise stated, all views or opinions expressed in this message are solely my own and do not represent an official position of the Wikimedia Foundation or its Board of Trustees.

On 11/14/06, Kelly Martin <kelly.lynn.martin(a)gmail.com> wrote: The major application right now is probably Wikiversity. Interactive applications could be extremely useful to them for a wide variety of purposes, such as quizzes or physics demonstrations.

On 11/14/06, Simetrical <Simetrical+wikitech(a)gmail.com> wrote: I was talking about a scenario where you could upload an applet class file, but where Wikimedia would not embed it in a runnable form. You would have to explicitly download and run such an applet (using the appletviewer application or by embedding it into a webpage). I think under such a setting, an applet is unlikely to do much harm (not to mention that it would not be run from any Wikimedia domain), since the users who are the most likely to do something stupid are the least likely to be able to figure out how to run the thing in the first place. -- Peace & Love, Erik Member, Wikimedia Foundation Board of Trustees DISCLAIMER: Unless otherwise stated, all views or opinions expressed in this message are solely my own and do not represent an official position of the Wikimedia Foundation or its Board of Trustees.

Cormac Lawler wrote: That's the wrong question. A better set of questions would be: * Does every project have at least one sysop/bureaucrat who can spot "evil" Java resources? * Does every sysop/bureaucrat who does not have this skill, acknowledge that they don't and consequently leave the approval queue alone? (from your message, it appears that you do, so you're fine)

On Tue, Nov 14, 2006 at 03:01:24PM -0500, Gregory Maxwell wrote: . . . and at that point, you're back to wondering if the sysops/bureaucrats who don't have the skill will leave the approval queue alone. Since this is a preventative measure, and not an active measure, it introduces problems later down the road, because the real question isn't "Does every sysop/bureaucrat who does not have the skill acknowledge that they don't and consequently leave the approval queue alone?" Instead, the question is: "Will every sysop/bureaucrat forevermore who does not have the skill be reasonably expected that they don't have the skill and consequently leave the approval queue alone, or do we think there's a nontrivial likelihood that new sysops/bureaucrats will potentially become a problem in this regard in the future?" Unfortunately, if you want something approaching complete safety in this regard, I don't think you're going to get it. I guess it all depends on how much you're willing to risk it. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] "The first rule of magic is simple. Don't waste your time waving your hands and hopping when a rock or a club will do." - McCloctnick the Lucid

On Tue, Nov 14, 2006 at 05:39:05PM -0500, Simetrical wrote: The idea that Java cannot take over your computer or wipe your hard drive may (and I emphasize the use of "may" here) be true for applets, but for other uses of Java it is anything but true. Hey, if we're going to start including virtual machine run bytecode content, maybe we should include other VMs than Java's. For instance, there's OCaml's toplevel VM, Parrot, and Smalltalk out there. Could be fun. Okay, I'm not very serious about that. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Brian K. Reid: "In computer science, we stand on each other's feet."

On 11/14/06, Simetrical <Simetrical+wikitech(a)gmail.com> wrote: In the best case arbitrary java can ask the user to let it out of the sandbox and most users will, in the worst it can just get out on its own (JVM doesn't have a great track record). Once running in trusted mode java can do anything any other binary on your system can do. Even ignoring that sort of vulnerability, if we allow people to upload java binaries the binaries could decide to display penises every second tuesday. Just limiting it to sysops won't fix it because sysops will be (mostly) adding java which was given to them by (untrusted) third parties. We can't demand the sysops check the java, because no human could be expected to detect such problems. So we're left with demanding that people submit java in source form (which I suppose is good for other reasons), and then we'll expect qualified admins to audit, compile, then install the code.. yuck. Better to just write a sandboxed ecmascript or python interpreter which runs in sandboxed Java... and then make an extension that lets you directly input the script code, which will then be handed out to clients. This then reduces the risk of it displaying penises on second tuesdays to the same risk as template code displaying penises on second tuesdays. It's actually not the far out of an idea... there is already a python implementation in java (jython, http://www.jython.org/Project/index.html) and several of the python plotting libraries will work in jython (http://www.eckhartarnold.de/apppages/pyplotter.html). I imagine that interactive graphs are the largest driver for java apples beyond audio/video playback. A solution like this would give us real wikieditable software which we could open to the world, and not confine to sysop priests with java compilers and the patience to work offline. Unfortunately jython needs non-sandboxed java because it mucks about with the VM for the ability to call arbritary java and native code functions. :-/ If anyone is aware of any dynamic languages which will run in sandboxed java and which have decent graphing libraries, I'd love to hear about it. :)

On 11/14/06, Chad Perrin <perrin(a)apotheon.com> wrote: [snip] I'd prefer we only have one.. simply because I'd rather have one large base of wikipedians speaking the same language than four fragmented groups. .... But I don't really care which one it is. Our site is innovative in many ways...(nearly) instant gratification, open access, revision control (never forget), Free Content, low barriers to entry.. etc.. as we step into the realm of executable content we should not abandon all the things that have made us grand. Perl .. yuck.. But sure, as I said... I don't care what language. I was hoping there would be some good ECMAscript interpreters in java but because of 'javascript' it's darn difficult to search for. We need: 0) Can run safely in the JVM. 1) Can perform graphics in the JVM, hopefully sound. 2) near enough to interpreted (compile at preview would be a bummer :) Plus new programmers really enjoy the ability to sit at a prompt and type in code). 3) Used in the outside world (we already have one home grown programming language, we don't need another) 4) Is broadly compatible with the JVMs on client systems. 5) Decent libraries for data handling, graphing, etc a big plus. I'd rather not make performance a goal.. I'd rather they have facilities for calling java classes we provide.. and we can provide (audited) java classes for anything performance critical... for example video/audio playback or 3D rendering.

On Tue, 2006-11-14 at 18:31 -0500, Gregory Maxwell wrote: I only know of one, Rhino (http://www.mozilla.org/rhino/). Looking from outside, it seems to be a good implementation -- it's actively maintained, and has a nice feature list -- but I've never actually used it. "... we can provide (audited) java classes for anything performance critical..." Really? Including fluid dynamics simulators, rigid-body kinematics with collision detection, Game of Life simulators, and chess-playing programs? These are just a few possibilities for (the performance-critical part of) educational applets that I came up with off the top of my head; I'm sure there are many more. The JVM-based interpreter may still be the right thing to do, but people need to be aware that there are whole realms of creative educational possibilities that are far less feasible with that approach. How does a Java applet go about asking for more privileges? Is that something we can easily audit to avoid (for instance, by checking .class files to make sure they only use standard Java classes and methods that are in a whitelist, not to include reflection)? If the embedded-in-JVM interpreters let you interact with Java, then you will probably be able to write scripts that ask for more privileges; and that can't be fixed by outlawing reflection, since the interpreter has to use reflection. For this reason, compiled Java may actually be easier to secure than an interpreter. Can we write our own security manager, ensure that all calls to uploaded .class files are "wrapped" by our security manager, and implement our own restrictive security policy that way? Carl Witty

On Tue, 2006-11-14 at 21:50 -0500, Gregory Maxwell wrote: Using what size grid? Would it have been that fast on Paul Rendell's Game of Life Turing Machine (1714 x 1647 cells)? What if you want to run much faster than the screen refresh rate ("what will this pattern look like after a million generations")? I contend that the performance requirements for serious science are far less than the performance requirements for an educational applet. A scientist will be willing to spend a lot of time carefully designing small experiments that will test a hypothesis, and then spend a week running the experiment; if an applet takes more than a minute to set up an experiment and get results, you'll lose a lot of viewers (a couple of seconds is a much more desirable time). I guess partly it depends on the goals for these applets. Do we want to reach only people who are "captive" (studying this material for a course, or intensely curious about the material) or do we also want to try to "grab" people who are only mildly curious? Perhaps my particular examples were poorly chosen, but I'm having a hard time believing that there are no examples where a more-than-an-order-of-magnitude improvement in speed would make a significant difference in the educational impact of an applet. I'm having a hard time parsing your sentence, but I think you're saying that cpython is about as fast as raw Java? That's going to depend heavily on your workload. I realize it's a bad idea to draw conclusions from a small set of flawed benchmarks, but I'm going to try anyway (attempting to be conservative). Looking at http://shootout.alioth.debian.org/gp4/benchmark.php?test=all&lang=pytho… indicates to me that Python is comparable in speed with Java when most of the time is spent doing things that Python has C libraries for (regular expression matching, hash tables, arbitrary precision arithmetic), but that Python is much slower than Java (more than an order of magnitude) at doing things like fluid dynamics, where the inner loop has a lot of floating-point math and is not sped up by libraries. Definitely true! If you require that Java code be heavily audited, and that interpreted code only needs to be lightly audited, and if your supply of people willing and capable of doing heavy auditing is limited, then you'll end up with slower code than if you allow lightly audited Java code. In the specific case of auditing that only classes and methods from a whitelist are used, I still think that the easiest method is to write an automated tool that examines the .class file. Other kinds of auditing, of course, are totally infeasible on the bytecode, and require source code. I would think that most JVM-based interpreters would use reflection to allow access to arbitrary Java classes and methods; this would normally be considered an advantage, and would be a big selling point ("allows seamless integration with Java!") for the interpreter. True. But that has nothing to do with whether we allow raw Java or whether we require some sort of interpreter. As long as we're not setting policies now that will be difficult to change later... Carl Witty

On Tue, Nov 14, 2006 at 06:03:26PM -0800, Carl Witty wrote: . . . and if we do so, do we want to do it with something other than a JVM so we can avoid little issues like the nontrivial time and resources consumed on startup of the VM? -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] unix virus: If you're using a unixlike OS, please forward this to 20 others and erase your system partition.

On 11/14/06, Simetrical <Simetrical+wikitech(a)gmail.com> wrote: You are mistaken about the nature of Java code. Java code can do anything code in any other language can do (can we say java.lang.Runtime, please?); all it takes to escape the security context is one user clicking "OK" to the "give this applet permissions?" question that comes up when a signed applet is signed with an unrecognized certificate. Most people will click "OK" on that dialog. This is even true for applets; escaping the standard security context merely requires a touch of social engineering. Kelly