[KDE Dot News]
 faq
 flatforty
 contribute
 subscribe
 configure
 search
 rdf
 main
 parent
 thread


Re: Are plasmoids expected to be good citizens
by security guy on Monday 24/Mar/2008, @05:16
Have the plasma developers thought of the security implications of running native code? It wouldn't be good to run a plasma applet and have it rootkit the system!
  Related Links
 ·   Articles on Developer
 ·   Also by security guy
 ·   Contact author

Thread Threshold:

The Fine Print: The following comments are owned by whomever posted them.
( Reply )

Re: Are plasmoids expected to be good citizens
by Anon on Monday 24/Mar/2008, @05:34
For a "security guy", you sure don't have a good understanding of common terms. For reference, most apps that you are using right now - including your web browser, e-mail client, etc - are "native code".
[ Reply To This | View ]
  • Re: Are plasmoids expected to be good citizens
    by Mark Williamson on Monday 24/Mar/2008, @08:44
    Yes, but - unlike Plasmoids - the normal method of obtaining that code is not to download them from a random 3rd party on the internet, since they come with your distro. IMO, the different security concerns for Plasmoids arise from the fact that there's a lower "barrier to entry" to getting Plasmoids onto a users' desktop.
    [ Reply To This | View ]
    • Re: Are plasmoids expected to be good citizens
      by SMB on Monday 24/Mar/2008, @09:10
      Probably why you're not supposed to download and run apps you don't trust.
      [ Reply To This | View ]
    • Re: Are plasmoids expected to be good citizens
      by Anon on Monday 24/Mar/2008, @11:03
      Native code apps will always have to be either compiled from source (a power-user task), obtained from distro packages, etc - in other words, Plasma does *not* lower the barrier to entry of getting native code onto the users desktop. It is precisely as much of an increased security risk as Kicker applets were i.e. "barely at all".

      Non-native code - which will hopefully form the bulk of 3rd party plasmoids - can, as mentioned elsewhere in this thread, be tightly sandboxed so that it can do no harm.
      [ Reply To This | View ]
      • Re: Are plasmoids expected to be good citizens
        by Sebastian Sauer on Monday 24/Mar/2008, @13:05
        > in other words, Plasma does *not* lower the barrier to entry of getting native code onto the users desktop

        It does. Security is not related here but things like a) the time needed to look at how it should be done and b) the time needed to get it working. Plasma helps with a) by providing good, clean and small interfaces Plasmoids need to implement and helps with b) by providing a fast way to test your code and cause of a) it's also not needed to write tons of code to get just something working.

        All in all, it does help to lower the barrier to entry. If we look at scripting code aka Plasoids written or extended with scripts, then there is also no connection between security and barrier since it's not the main goal of most scripting languages to provide a secure sandbox but to get a solution out faster (aka without learning pointer-logic, without compiling, without being such static limited, etc.) an that's exactly what they (may) do in plasma as well :)
        [ Reply To This | View ]
      • Re: Are plasmoids expected to be good citizens
        by Sebastian Sauer on Monday 24/Mar/2008, @13:09
        > in other words, Plasma does *not* lower the barrier to entry of getting native code onto the users desktop

        It does. Security is not related here but things like a) the time needed to look at how it should be done and b) the time needed to get it working. Plasma helps with a) by providing good, clean and small interfaces Plasmoids can implement and helps with b) by providing a fast way to test your code and get it working and cause of a) the task shouldn't be that complex => lesser code needed to get the job done.

        All in all, it does help to lower the barrier to entry. If we look at scripting code aka Plasmoids written or extended with scripts, then there is also no connection between security and entry-barrier since it's not the main goal of most scripting languages to provide a secure sandbox but to get a solution out faster (aka without learning pointer-logic, without compiling, without being such static limited, etc.) an that's exactly what they (may) do in plasma as well. Security, as in Plasmoids coming from untrusted sources, is only related for the deployment.
        [ Reply To This | View ]
Re: Are plasmoids expected to be good citizens
by Thomas Zander on Monday 24/Mar/2008, @07:16
Yes, it has been considered. No plasma apps can not rootkit your system.
[ Reply To This | View ]
  • Re: Are plasmoids expected to be good citizens
    by Anon on Monday 24/Mar/2008, @07:26
    Double negative error.
    [ Reply To This | View ]
    • Re: Are plasmoids expected to be good citizens
      by sebas on Monday 24/Mar/2008, @10:26
      ... or a missingcomma. :-)
      [ Reply To This | View ]
    • Re: Are plasmoids expected to be good citizens
      by Anon on Monday 24/Mar/2008, @12:28
      Are you *sure* it's an error?
      [ Reply To This | View ]

 
The Fine Print: The previous comments are owned by whomever posted them.
( Reply )
  "Feature freeze: You're allowed to add new bugs, but no new features." -- Richard J. Moore
KDE®, "K Desktop Environment", "KDE Dot News", "got the dot?" and the KDE Logo® are trademarks or registered trademarks of KDE e.V. in the European Union, the United States and other countries. All other trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the poster. The rest: Copyright © 2000-2008 KDE e.V. for The KDE Project. For further information or comments on this site, please contact the Webmaster.
[ home | post article | flat forty | subscribe | search | rdf ]