On Fri, Feb 26, 1999 at 12:16:02PM -0500, Paul Everitt wrote:
"Can we make import-from-the-network have as acceptible a level of trust as the filesystem?"
There are three potential problems here, as I see it, or vectors for assault.... 1. Malicious users creating bad pickles 2. MIM attack that inserts garbage in 3. Unauthorized use by sniffed password/etc #1 I think is the smallest, honesty, because if it's true, you've got other larger problems. #2 is relatively uncommon, but can be side-stepped with a precomputed checksum (MD5 signature) that is input along with the filename/browse feature. #3 is the hardest, and is also exposed to the whole "web admin" issue, it's no better/worse because it's an import than going through an messing it up manually.
Here are some brainstorm ideas:
1) Make the import a pull rather than a push. Instead of pushing the data from your computer into a remote Zope, you go to the remote Zope and put in the URL to your local Zope.
No no, this is just too painful for words, breaks all kinds of security things that people have in place for "diodes" in their network.
2) Turn import from the web off by default but have a knob to turn it on.
This I like, make people conciously think about turning it on... everyone has differnt security policies. Provide the flexibility ot provide features with a known risk.
3) Reading directly from a Zope as it outputs an export means you're less likely to get a hacked pickle.
well, yeah, but it's also a pain in the butt, and perhaps hsould wait until replication itself is there, no? Then you can use the replication framework for this.
4) Have a shared key system, then rotor the export file (this is what we do on the unreleased Zope Network Client software). That is, wrap the data in an envelope.
WEll, see above. You really have to identify the vectors you're most concerned with. This system won't necessarily give you anything except "privacy" unless you also provide some tamper-resistance through hashing.
Of course there is still the ultimate question: is this a compelling feature?
IT's a "MUST HAVE" for me... I do a ton of prototyping at home, and then move it to a remote system as a big batch. Works great, it's a bit painful, but... much easier than before. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright