[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] pygame web plugin



On Wednesday 10 September 2008 04:31:10 James Mills wrote:
> However having said that
> I tend to trust FOSS more than
> commercial software.

I once worked with an admin who REALLY should've known better. As in REALLY 
should've known better. Did exactly these sorts of steps:
> 
> 1. Install Python
> 2. Install setuptools
> 3. easy_install <your favourite game>
>

(Wasn't quite the same, it was a set of install instructions)

The system rebuilds he was doing for the next week reminded him about:

> step 4. "Audit code to be sure it isn't evil".

Easy install is a nice idea in theory, but it assumes that everyone is perfect 
and isn't going to do something that either accidentally (or maliciously) 
trashes your machine.

For example. CPAN has a mode of usage similar to easy_install/setuptools in 
that it'll figure out the dependencies for you and install them. Whilst they 
fixed it a *long* time ago now, one of the modules decided to say 
(innocently) that it was dependent on the latest version of Perl that most 
people weren't then using. The CPAN shell installer happily tried to upgrade 
a significant number of people's perl installations.

This was a bad idea on so many levels, and was an accident, and it's
been fixed now. However, it does demonstrate how stupid it can be to assume 
that such things are safe. It just takes one (stupid) file to trash things 
after all. (eg "chmod a+rwx /" can be remarkably fatal when run as root,
and if that was created from "chmod a+rwx %s/" % somevar, it's remarkably
easy to miss.)

> However having said that
> I tend to trust FOSS more than
> commercial software.

The reason for that though is because you'll get people turning round, looking 
at something like encouraging (eg non-developer) users to run arbitrary 
untrusted code on their systems turn round and say "you do realise that 
that's just asking for trouble, don't you?"

:)


Michael.