2016-05-03, 21:30
..
(2016-05-03, 07:19)Memphiz Wrote: How come that you think anyone of us has a concept for sandboxing addons? We use libpython which can access everything that the python runtime offers - we don't really have control over it. The only thing i can think of is wrapping calls from libpython that might be used in a dangerous way - but that could be the whole c api... - so whoever thinks this is easy - come forward with an idea please.
(2016-05-04, 03:14)magao Wrote:(2016-05-03, 07:19)Memphiz Wrote: How come that you think anyone of us has a concept for sandboxing addons? We use libpython which can access everything that the python runtime offers - we don't really have control over it. The only thing i can think of is wrapping calls from libpython that might be used in a dangerous way - but that could be the whole c api... - so whoever thinks this is easy - come forward with an idea please.
There have been many attempts to produce a sandboxed/restricted execution environment python. Every single one has been broken very quickly. Then the developer plugs those holes, more are exposed. This cycle continues on python-list/python-ideas/python-dev for a matter of weeks, eventually the threads die down as the developer concludes it is too hard to do properly.
People who think this isn't hard should do a web search for "restricted execution python" and "sandboxed python" ...
(2016-05-04, 07:15)primaeval Wrote: Seriously, if everyone on here hates third party addon developers so much why hasn't Kodi locked down addons to only the official ones?
(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.
Warn of HOST EDIT
REMOVE VIDTIME / SELF KILL
TRY TELLING ME I CAN'T REMOVE MYSELF!
(2016-05-04, 09:01)primaeval Wrote:(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.
Its back with a warning dialog that doesn't seem to work and an aggressive changelog:
Code:Warn of HOST EDIT
REMOVE VIDTIME / SELF KILL
TRY TELLING ME I CAN'T REMOVE MYSELF!
I'm starting to come round to the majority view here and say lock Kodi down.
Giving people like this access to my hosts file, file system and local network is just too scary.
(2016-05-04, 09:06)Lunatixz Wrote:(2016-05-04, 09:01)primaeval Wrote:(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.
Its back with a warning dialog that doesn't seem to work and an aggressive changelog:
Code:Warn of HOST EDIT
REMOVE VIDTIME / SELF KILL
TRY TELLING ME I CAN'T REMOVE MYSELF!
I'm starting to come round to the majority view here and say lock Kodi down.
Giving people like this access to my hosts file, file system and local network is just too scary.
So instead of not using this guys plugin /repo you want to lock down Kodi? Not sure I follow the logic, this code isn't being forced on you... you willing installed the repo/plugin
(2016-05-04, 09:01)primaeval Wrote: I'm starting to come round to the majority view here and say lock Kodi down.Who's making you do that?
Giving people like this access to my hosts file, file system and local network is just too scary.
(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.
(2016-05-04, 09:30)black_eagle Wrote:(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.
Fully agree. Check the source code, if it's obfuscated in any way then the author has something to hide. And I don't agree with any rubbish about wanting to protect their code. That's exactly the opposite of open-source.
(2016-05-04, 09:35)primaeval Wrote:Good point. They might accidentally install an add-on from one of the dodgy repo's I use. Because obviously I install loads of repositories from sources I don't trust. And obviously I also tell anyone who uses kodi in my house to just mess about, install any old crap, it won't be a problem etc.(2016-05-04, 09:30)black_eagle Wrote:(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.
Fully agree. Check the source code, if it's obfuscated in any way then the author has something to hide. And I don't agree with any rubbish about wanting to protect their code. That's exactly the opposite of open-source.
The thing is until 17.0 comes out there is no warning that the repo/addon you are adding has any potential dangers. If your wife/kids/parents are using a computer you installed Kodi on, how are they to know what addons are dangerous. Can your wife/girlfriend/mother read Python? I bet a print statement looks obfuscated to them.
(2016-05-04, 09:35)primaeval Wrote: The thing is until 17.0 comes out there is no warning that the repo/addon you are adding has any potential dangers. If your wife/kids/parents are using a computer you installed Kodi on, how are they to know what addons are dangerous. Can your wife/girlfriend/mother read Python? I bet a print statement looks obfuscated to them.