scripting proposal draft 3

[K Robinson]

On Tuesday 08 April 2008 5:50:07 pm Seb Ruiz wrote:
> On 09/04/2008, K Robinson <zwokkqxpozgc+nznebxrznvyyvfg1 at gmail.com> wrote:
>
> That is one awesome email address!

Uh..ok.   It's a disposable (but permanent) email address.  Gmail allows for 
any email suffixes after a +.   Trust me, I haven't memorized it, and have no 
plans to.

So...about the "how" of security in amarok scripts...how is protection even 
really feasible against a script running on the system?  I sort of doubt 
there are sandbox options for each (or any) of the available scripting 
languages.  Perhaps SELinux and AppArmor policies should ship with the amarok 
package, where available?  (SELinux is a headache to even understand though).  

Aside from security goals, the user ought to stay in control of their 
interface despite idiotic scripts.  Users may need to see, prevent, approve 
or stop certain script actions while trying out new scripts ("no, I do not 
want you to 'correct' these track titles and genres en masse, or reset my 
ratings and scores.").
Malicious scripts: What happens if a script redirects you from magnature to a 
malicious site, by replacing or duplicating the magnature tab? Or tags all 
your music as "erotic"?  

Should one assume that in 16 months, secure sandbox frameworks for perl, 
python, ruby, etc will be available, making amarok the weakest link?  Maybe 
not.  Perhaps the thing that makes most sense is what Henry Valence said: 
users should be warned and educated about the risks of running scripts.  
Perhaps a cursory and unofficial code audit could be done on the most popular 
scripts?   Also, a PEBCAK test could be run as shown in my signature to 
decide if a user should be allowed to touch the keyboard ;)

-K. Robinson

"This program 'Amarok' is about to run "virus.exe" with  Adminsitrator 
privileges.  Continue?"   The user, anxious to get on with his work, 
clicks "yes".