On 23/10/11 18:07, Nikola Smolenski wrote:
It is my understanding that there are three road blockers on this one:
- ABC vs Lilypond, and which exact implementation to use. At this point
I assume everyone is so sick of waiting that no one will care what is used so long as something is used.
Lilypond would provide more flexibility for editors. I originally thought that ABC would be better for security, but it turns out that it is full of buffer overflow vulnerabilities, so I'm now recommending Lilypond without reservations.
[...]
- And the big one, security. It has not been shown that any of the
proposed implementations is secure. I was thinking that perhaps a way to overcome this would be to have a dedicated system just for handling music rendering. It would work something like this:
a) A dedicated server used only for music rendering. The server runs several virtual machines with the music rendering software. It only accepts the notes and returns the images.
b) When the parent server receives a text with the notes, it only passes it to a free virtual machine. When it receives the images from the virtual machine, it passes them back to the client.
c) If it doesn't receive the images within a certain time, it shuts down the virtual machine, starts a new one and returns an error image to the client.
Is there a hole in this system that would make it possible to hack the parent server by means of a malicious file?
I think that would be overkill. All we really need is basic resource limiting (say ulimit.sh plus PoolCounter), and LilyPond should be run with --jail.
LilyPond has two secure modes: --safe and --jail. Running with --safe is easy to support but has restricted functionality, which will impact users. Running with --jail is more complex to set up, but allows commonly-used macros to be imported.
Ideally music rendering would be split out on to different servers, using internal api.php requests. This allows cluster-wide LilyPond resource usage to be limited by limiting the number of servers in the LilyPond rendering pool. It also simplifies the operations task by reducing the number of servers that run LilyPond, making both configuration and monitoring easier.
-- Tim Starling