Email or username:

Password:

Forgot your password?
Lennart's posts Post Back to profile
Top-level
Simo ✔️

@bluca @pid_eins @phako writing js is as hard as any other program, and it is turing complete which makes "configuration" uncheckable (unless you solved the halting problem) and this is definitely not good security.

A decent basic configuration set + extension via IPC for those extremely rare cases where you would need it (and that you can block) would be much better from a security pov.

29 April at 12:30 | Wall-to-wall | Open on fosstodon.org
3 comments
Simo ✔️ replied to Simo

@bluca @pid_eins @phako Most people can't think adversarially when writing code, which means using js to configure access to a high privileges is very risky. And can't be easily checked for correctness.

If you do anything more complex than just assigning variables you risk opening huge holes by not paying attention at how things are evaluated.

29 April at 12:32 | Open on fosstodon.org
bluca replied to Simo

@simo5 @pid_eins @phako there can be no "decent basic configuration set", that's the point - otherwise it would be there. It's been working like this for a decade, and it's been just fine as it's simple enough do to the variety of basic things that everybody need. The problems aren't there, they are elsewhere, and requiring users and admins to become software developers and supply chain managers is not a realistic or good or desirable solution

29 April at 13:29 | Open on fosstodon.org
Simo ✔️ replied to bluca

@bluca @pid_eins @phako there are countless programs that have a simple .ini file for configuration where all you do is set variables.
Hyperbole does not help.
Pretty sure 99% of what pk is used for can ne done with a plain config filr, whether tha is implemented as .ini or a more structured .json or similar.
The cases where you need a program to compute behavior at runtime is vanishingly small.

29 April at 13:55 | Open on fosstodon.org
Go Up