[squeak-dev] Re: Another FFI/Installer issue

Hi,

>Maybe is time to re-think about who should be in the Release Team ?

No - if this problem continues to appear on the list we just need to fix the problem/images
(not the release team itself)  ;)

>Maybe nobody cared to rebuild new images with the fix?
>>Its not that "no body cared". Thats a little harsh... since ...

My posting today was not intended to criticize Edgars work or the Release Team.
Maybe the intention get's clearer with some background info:

I tested 3.10 on a regular basis and I contacted Andreas in March after having the FFI
problem and reported to the squeak-dev list [1] together with a mantis report [2].
After Andreas reported a fix [3] on the squeak list I also added his fix to Mantis.

After a while I tried a newer image for 3.10 (Squeak3.10.1-7175-basic.zip) and since the problem
was still there I now reported to the official V3dot10 list [4] in May - with the result that the fix
is now at least in the preliminary 3.11 (posting from Keith [5]).

AFAIK it's not fixed in the "Squeak3.10.2-7179-basic.zip" which is the latest
downloadable 3.10 version and linked from the squeak.org webpage. I dont "care about" the
reason and havent followed the issue since my own build scripts easily apply the fix.

Maybe the fix in 6980 just slipped through, the fix is to unstable or maybe there is no general interest
or to much work in rebuilding the 3.10 image for this particular issue or most people know how to apply
fixes from Mantis, maybe people still use 3.9 - I dont really know , I can just guess.

What I know is that I got no answer on the V3dot10 list regarding the issue to be fixed for the
current 3.10 Squeak image. So my impression was and still is that nobody cared/or has an interest
on having a newer 3.10 image built to solve this issue there. Maybe having it in a 3.11 script is good
enough and a new 3.10 image is not necessary. But since I dont really know I've put a question
mark on the statement! Nothing more said.

>all "should" be well.

Maybe, but that depends. I still think that it's hard for beginners starting with 3.10
(or Squeakers who do not regulary scan Mantis/dev list or know about Installer)
to be faced with a problematic image after loading FFI...

Bye
Torsten

[1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2008-March/127207.html
[2] http://bugs.squeak.org/view.php?id=6980
[3] http://lists.squeakfoundation.org/pipermail/squeak-dev/2008-March/127208.html
[4] http://lists.squeakfoundation.org/pipermail/v3dot10/2008-May/001116.html
[5] http://lists.squeakfoundation.org/pipermail/v3dot10/2008-May/001112.html
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

2008/8/3 Torsten Bergmann <[hidden email]>: My 2 cents.
An FFI is 'need to have package' for my needs. Frankly, i don't
remember images which i was working with, which don't have FFI
installed.
Because of that, i have a strong bias that FFI plugin should be
included as internal plugin into VM by default (and FFI package could
still be optional, but it should be tested to be able to loaded
without problems in ANY image).
The arguments for not putting it, some people like repeating, that FFI
puts instability into image/VM seem very odd as to me. A running
Croquet is best illustration what such arguments worth.
But this is just my humble opinion.

I was expected that in 3.10.2 the issue was fixed (because couple
months passed since issue was found and then cure found).
Honestly there is nobody to blame for it (except self ;) , that it is
not included.


--
Best regards,
Igor Stasenko AKA sig.

> Maybe, but that depends. I still think that it's hard for beginners starting with 3.10
> (or Squeakers who do not regulary scan Mantis/dev list or know about Installer)
> to be faced with a problematic image after loading FFI...
>
> Bye
> Torsten
>  
I think that we/someone is confusing things here. In one breath we ask
the release team to provide a minimal image in which as many packages as
possible are removed. In the next we complain when total beginners are
not able to build their own custom images perfectly from scratch with
one click, or must learn a command line tool.

As far as I know the intention all along has been for the base image to
get smaller, and for derived images to be built from that base image
using scripts. The process of supplying working derived images for
beginners to play with was something that members of the community would
be expected to do at their leisure. So far we have several, squeak-dev,
squeak-web and FunSqueak. "Installer" of course makes this process much
easier, and http://installer.pbwiki.com/ provides a place for publishing
such scripts.

Sure we would like to have our cake (the small image) and eat it (build
derived images with one click), but the 3.10 release team picked
Universes to perform this task rather than Installer, so 3.10 doesnt
come with an up to date Installer or instructions on how to use it.
Universes can be persuaded to work in theory, but someone needs to
actually do it. I myself preferred to put my effort into Sake/Packages
in order to replace Universes in 3.11. Matthew has been trying to ensure
that as many SqueakMap packages as possible actually load.

cheers

Keith

Igor Stasenko wrote:
> Because of that, i have a strong bias that FFI plugin should be
> included as internal plugin into VM by default (and FFI package could
> still be optional, but it should be tested to be able to loaded
> without problems in ANY image).
> The arguments for not putting it, some people like repeating, that FFI
> puts instability into image/VM seem very odd as to me. A running
> Croquet is best illustration what such arguments worth.

It's not about stability, it's about security. Without the FFI, it is
possible to have a fairly well sand-boxed environment (see Squeakland
for example). With the FFI, this is simply impossible. That's why the
FFI isn't built-in, and likely never will be for any VMs that I release.

Cheers,
   - Andreas

> Igor Stasenko wrote:
>> Because of that, i have a strong bias that FFI plugin should be
>> included as internal plugin into VM by default

Unless there is a serious flaw in the implementation any plugin should  
be perfectly usable as an external plugin. *No* plugin that I am  
familiar with (yes, I'm not familiar with every single one of them)  
needs to be bound internally in order to work.

In fact I'd go so far as to claim the the only reason to bind plugins  
internally is for packaging reasons relating to the platform being  
totally braindead about packages. Why is it that 20 years after RISC  
OS demonstrated that an utterly trivial packaging implementation was  
both doable and very effective and 5 years (or so) after OSX  
demonstrated that a similar (did I say copied? Not me. Though it  
probably is, since I know some folk worked on both) system worked  
rather well on unix filesystems, we still don't see it being used  
everywhere? Oh yeah - the software world has its collective head up  
its collective rectum. I forgot.

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Useful random insult:- Settled some during shipping and handling.

Hi andreas

could give some examples about the security problems FFI brings into  
play (buffer overflow? ... and issues like that?)

Stef

On Aug 3, 2008, at 12:52 AM, Andreas Raab wrote:

stephane ducasse wrote:
> could give some examples about the security problems FFI brings into
> play (buffer overflow? ... and issues like that?)

How about something like:

   Win32OS shellExecute: 'format c:'.

or, for our unix friends (who often think they are invulnerable ;-)

   UnixOS system: 'find ~/ -type f -exec rm -f {} \;'.

This should do it. Note that you can slip this in without even having
any of the FFI in the image since you can construct the necessary bits
on the fly (calling system() is particularly trivial). It's downhill
from there since there are simply too many ways in which *all* of the
operating systems are entirely unsafe.

And before anyone says "but you can do this FileDirectory as well": Yes,
you can, but only if the sandbox isn't activated. As soon as go into
sandbox mode via "SecurityManager default enterRestrictedMode" an attack
like the above will no longer work.

Cheers,
   - Andreas