[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [pygame] pygame web plugin
On Wednesday 10 September 2008 04:31:10 James Mills wrote:
> However having said that
> I tend to trust FOSS more than
> commercial software.
I once worked with an admin who REALLY should've known better. As in REALLY
should've known better. Did exactly these sorts of steps:
>
> 1. Install Python
> 2. Install setuptools
> 3. easy_install <your favourite game>
>
(Wasn't quite the same, it was a set of install instructions)
The system rebuilds he was doing for the next week reminded him about:
> step 4. "Audit code to be sure it isn't evil".
Easy install is a nice idea in theory, but it assumes that everyone is perfect
and isn't going to do something that either accidentally (or maliciously)
trashes your machine.
For example. CPAN has a mode of usage similar to easy_install/setuptools in
that it'll figure out the dependencies for you and install them. Whilst they
fixed it a *long* time ago now, one of the modules decided to say
(innocently) that it was dependent on the latest version of Perl that most
people weren't then using. The CPAN shell installer happily tried to upgrade
a significant number of people's perl installations.
This was a bad idea on so many levels, and was an accident, and it's
been fixed now. However, it does demonstrate how stupid it can be to assume
that such things are safe. It just takes one (stupid) file to trash things
after all. (eg "chmod a+rwx /" can be remarkably fatal when run as root,
and if that was created from "chmod a+rwx %s/" % somevar, it's remarkably
easy to miss.)
> However having said that
> I tend to trust FOSS more than
> commercial software.
The reason for that though is because you'll get people turning round, looking
at something like encouraging (eg non-developer) users to run arbitrary
untrusted code on their systems turn round and say "you do realise that
that's just asking for trouble, don't you?"
:)
Michael.