Women in Technology

Hear us Roar



Article:
  Why I Stopped Coding and Why I'd Start Again
Subject:   security problem
Date:   2007-01-20 03:53:37
From:   tbuitenh
Response to: In the language or in the file-system?

I was thinking the same, and there is a filesystem that does this, see zero-install.sourceforge.net . The problem is that it can be difficult to put checksums in a path. Without checksums, a malicious developer might replace a library developed by him by something else, and the system won't notice. Sticking PGP signatures to everything, like zeroinstall does, doesn't help, because you want the developer who typed the "include" to do the signing or checksum, not the one who wrote the library.


... I started writing out all the possible path rules that wouldn't work, but found one that does ...:


/http/foo.com/widget/2.0.1/1234abcdef.py