[ALLY] View 1.1 Security
[1/9] from: larry:ecotope at: 14-Apr-2001 23:13
Carl The security settings seem to have changed from View 1.0 to View 1.1. Now even clicking on a local script file pops up the security box. And if you run any scripts in user.r they also pop up the security box and if another view process is launched it also invokes the security pop-up. Trying to change secure in user.r also results in a pop-up. I did not see this behavior under View 1.0. I much preferred the View 1.0 behavior. The way it works now is a real nuisance. In the Windows environment we need to able to execute any local script by clicking on it in the explorer window. -Larry
[2/9] from: larry::ecotope::com at: 14-Apr-2001 23:31
Replying to my own message. Further investigation shows that the most of the effects listed below are due to running a script in user.r. When I commented it out, I could click on local files and they execute OK without a security warning. I also found that running REBOL from the command line with the -s option still causes a security pop-up if there is a script being executed in user.r. -Larry ----- Original Message ----- From: "Larry Palmiter" <[larry--ecotope--com]> To: <[ally-list--rebol--com]> Cc: <[feedback--rebol--com]>
[3/9] from: ptretter:charter at: 15-Apr-2001 7:50
I agree that is a nusiance. I have the same problem. Paul Tretter ----- Original Message ----- From: "Larry Palmiter" <[larry--ecotope--com]> To: <[ally-list--rebol--com]> Cc: <[feedback--rebol--com]>
[4/9] from: carl:rebol at: 15-Apr-2001 9:54
Paul, Larry: We greatly increased security with 1.1 B1. The idea was to prevent sneaky scripts from reading files on your disk. Of course, they could never write or delete files before, but we also felt that they should not be able to read files either. Perhaps we tightened security down too much. It's easier to relax it a little. We need your feedback as to how much is too much. Let us know. Thanks, -Carl
[5/9] from: ptretter:charter at: 15-Apr-2001 12:29
Actually, I feel that we should have some control over the security which I am sure we probably already do like most things in REBOL. However, to have that much security by default is probably extreme given the fact that /View is free for personal use and even the license for /Pro is only still for personal use or non commercial use. Therefore I would not have it that secure by default - doesn't seem to fit the current licensing and distribution processes currently in place at RT. Paul Tretter
[6/9] from: agem:crosswinds at: 15-Apr-2001 17:39
>Carl > >The security settings seem to have changed from View 1.0 to View 1.1.
>even clicking on a local script file pops up the security box. And if
>run any scripts in user.r they also pop up the security box and if
>view process is launched it also invokes the security pop-up. Trying
>change secure in user.r also results in a pop-up. I did not see this >behavior under View 1.0. > >I much preferred the View 1.0 behavior. The way it works now is a real >nuisance. In the Windows environment we need to able to execute any
>script by clicking on it in the explorer window. > >-Larry >
You know with the beta - setting: [net allow file [allow read]] iam able to spy your whole hd from a reblet? hey, did you have passwords somewhere? ;-)
>-- >To unsubscribe from this list, please send an email to >[ally-request--rebol--com] with "unsubscribe" in the >subject, without the quotes. >
[7/9] from: agem:crosswinds at: 15-Apr-2001 21:25
>Paul, Larry: >We greatly increased security with 1.1 B1. The idea was to prevent
<<quoted lines omitted: 3>>>Perhaps we tightened security down too much. It's easier to relax it a >little. We need your feedback as to how much is too much. Let us
well, on the rebol-faq was said, don't worry, download rebol, run scripts, as long as you don't say yes to security-questions, nothing can happen. well, a while ago someone hacked netscape/java a bit. after that your browser was a web-server enabling everyone on the web to browse your hd. the suggestion of related magazines was to disable java until this is fixed. Not "don't worry, nobody will explore this". if someone is angry about rebol and demonstrates such a hole rebol will loose a lot of trust IMHO. its not M$ which say "om, oops, sorry, you realley moved your mouse? bad luck." i can't put hey, download rebol and this site looks much smarter on it if tryers have to worry about security? you can check security by checking system/options/script from %user.r, shutting the door if its not startet from a trusted place. but a mistake there and your machine is open. very open, nothing can spy your hd smarter than rebol :) so lowering should be a conscious decision. maybe you could turn it and move the security-check reliable in %user.r, giving there options to keep insecure features, like it was possible with [hack-launch: :launch]? and two kinds of file-extension, %.r and %.rs, where the %.r and downloads are allways hard secured? (yes, some osses may hide that..) or iam wrong here? depend of course on purpose, but i like the idea of the Reb entered from every browser (without installing backdoors) :)
[8/9] from: brett:codeconscious at: 16-Apr-2001 10:33
I think tightening it down the way you have done is the right way to go. I much prefer to know where I stand (everything shut) as opposed to the Micrsoft model everything open and welcoming. I believe read access can be a greater security threat than write in some cases - so I think preventing sneaky scripts from reading the hard disk or any other resource I have access to is a very good idea. To make the scheme workable, it would be nice to have an abilitily to customise the installation to "trust" a user-specified resource - in effect a "grant/recurse rebol read access on C:\DATA\RebolScripts" for example... I reckon the biggest risk in computing these days is that the user has to trust scripts running with user authority and not know what those scripts *actually* do. Brett.
[9/9] from: robert:muench:robertmuench at: 16-Apr-2001 15:36
> -----Original Message----- > From: [ally-bounce--rebol--com] [mailto:[ally-bounce--rebol--com]]On Behalf Of
<<quoted lines omitted: 8>>> Perhaps we tightened security down too much. It's easier to relax it a > little. We need your feedback as to how much is too much. Let us know.
Hi, IMO RT has only one chance: Make it as secure as you can and tell the people about it, why and how you have done it. Than give them the choice to change it, on their own responsibility. I can't understand comapnies delivering products with relaxed or even complete open security models... that's what we call "Grob Fahrlaessig" in Germany. Don't allow anything by default and let the user choose what to do. Robert
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted