[Gambas-user] Gambas Software Farm in revision #6666 (!)

[Benoît Minisini]

Le 23/11/2014 05:48, Kevin Fishburne a écrit :
> On 11/22/2014 09:30 PM, Benoît Minisini wrote:
>> Hi,
>>
>> It's late there, but I wanted to make that available as soon as possible
>> so that people can see it and comment, even if it is not finished at
>> all. (It's for the revision number too...)
>>
>> I added a new button in the IDE welcome dialog that opens the "Gambas
>> Software Farm" dialog.
>>
>> At the moment, it allows to browse the content of a Gambas farm. By
>> default, it should points at 'http://gambaswiki.org' for testing.
>>
>> Voting for a software and installing a software is not done yet.
>>
>> I have registered the 'gambasfarm.org' website, so that it become the
>> official Gambas Software Repository in the future.
>>
>> At the moment, registering to a farm is possible from the IDE option
>> dialog only. And publishing is done from the 'Publish...' menu entry.
>>
>> Waiting for the comments now...
>>
>
> This is going to be a killer feature, so thanks for your continued work
> on it.
>
> Despite the fact that we currently have a pretty tight-knit community of
> (hopefully) virtuous people, as with any software repository something
> that will require consideration is the potential for malicious
> applications to be uploaded to a repo.
>
> The recent Sylph demo I made available, for example, is a binary without
> source (since I plan to release it commercially). I could have made it
> search for personal information and upload it to an FTP site somewhere
> and no one would have known the difference. Obviously I didn't do that,
> but the point is how would anyone know?
>
> GAMBAS currently (as far as I know) doesn't have a budget to have people
> review source code, and I'm not even sure if making the source code
> publicly available should even be a requirement for addition to a repo,
> so I'm not quite sure how this problem could be addressed. At the bare
> minimum there should be (perhaps as an expansion of the voting system) a
> "Flag as malware" option or a review period before an application is
> made available to the public. The registration process to upload
> applications could also be made stronger somehow.
>
> Something else to consider are applications that contain illegal
> content, such as IP violations or other things that shall not be
> mentioned. Any sort of centralized (non P2P) "content distribution"
> system has to face these issues, so I just wanted to give everyone food
> for thought to prevent us showing up on Slashdot for the wrong reasons. :)
>

The Gambas farm server will only store full source archive of free 
software project.

When installing a project, the source archive will be downloaded, and 
compiled directly on the user's computer.

As for the malware problem, I think it may be possible to analyze the 
source and display warnings to the user:

- This project uses extern functions to the X,Y and Z libraries.
- This project call extern programs with SHELL or EXEC.
- This project open files for writing.
- ...

We could imagine a slower version of the interpreter that do run time 
tests for preventing the interpreter for doing what the user does not want.

Of course, it cannot block all possible malware, but it could avoid most 
of them.

Regards,

-- 
Benoît Minisini