• 1
  • 5
  • 6
  • 7(current)
  • 8
  • 9
  • 12
Addons that delete competitor's addons
#91
..
Reply
#92
(2016-05-03, 07:19)Memphiz Wrote: How come that you think anyone of us has a concept for sandboxing addons? We use libpython which can access everything that the python runtime offers - we don't really have control over it. The only thing i can think of is wrapping calls from libpython that might be used in a dangerous way - but that could be the whole c api... - so whoever thinks this is easy - come forward with an idea please.

There have been many attempts to produce a sandboxed/restricted execution environment python. Every single one has been broken very quickly. Then the developer plugs those holes, more are exposed. This cycle continues on python-list/python-ideas/python-dev for a matter of weeks, eventually the threads die down as the developer concludes it is too hard to do properly.

People who think this isn't hard should do a web search for "restricted execution python" and "sandboxed python" ...
Reply
#93
(2016-05-04, 03:14)magao Wrote:
(2016-05-03, 07:19)Memphiz Wrote: How come that you think anyone of us has a concept for sandboxing addons? We use libpython which can access everything that the python runtime offers - we don't really have control over it. The only thing i can think of is wrapping calls from libpython that might be used in a dangerous way - but that could be the whole c api... - so whoever thinks this is easy - come forward with an idea please.

There have been many attempts to produce a sandboxed/restricted execution environment python. Every single one has been broken very quickly. Then the developer plugs those holes, more are exposed. This cycle continues on python-list/python-ideas/python-dev for a matter of weeks, eventually the threads die down as the developer concludes it is too hard to do properly.

People who think this isn't hard should do a web search for "restricted execution python" and "sandboxed python" ...

We're talking about the details and difficulties of python sandboxing and security in the Feature Request thread.
http://forum.kodi.tv/showthread.php?tid=...pid2327316

You are right it is a very hard problem but doing nothing at all is going to end in some very bad publicity for Kodi sometime in the future when a rogue addon developer war breaks out again or someone uses addons to steal people's identity.
I hope it won't happen to someone's Kodi installation you or I care about.
Reply
#94
It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.
Reply
#95
to someone? a psychologist?
AppleTV4/iPhone/iPod/iPad: HowTo find debug logs and everything else which the devs like so much: click here
HowTo setup NFS for Kodi: NFS (wiki)
HowTo configure avahi (zeroconf): Avahi_Zeroconf (wiki)
READ THE IOS FAQ!: iOS FAQ (wiki)
Reply
#96
Seriously, if everyone on here hates third party addon developers so much why hasn't Kodi locked down addons to only the official ones?
Reply
#97
(2016-05-04, 07:15)primaeval Wrote: Seriously, if everyone on here hates third party addon developers so much why hasn't Kodi locked down addons to only the official ones?

In general, add-on developers are well liked here. Even some of the authors of some of the pirate/bootleg add-ons are regarded as good people, even if their add-ons can't be discussed here. There's just not a whole lot of love for people who mess with things like host files.
Reply
#98
(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.

Its back with a warning dialog that doesn't seem to work and an aggressive changelog:
Code:
       Warn of HOST EDIT
       REMOVE VIDTIME / SELF KILL
       TRY TELLING ME I CAN'T REMOVE MYSELF!

I'm starting to come round to the majority view here and say lock Kodi down. Sad
Giving people like this access to my hosts file, file system and local network is just too scary.
Reply
#99
(2016-05-04, 09:01)primaeval Wrote:
(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.

Its back with a warning dialog that doesn't seem to work and an aggressive changelog:
Code:
       Warn of HOST EDIT
       REMOVE VIDTIME / SELF KILL
       TRY TELLING ME I CAN'T REMOVE MYSELF!

I'm starting to come round to the majority view here and say lock Kodi down. Sad
Giving people like this access to my hosts file, file system and local network is just too scary.

So instead of not using this guys plugin /repo you want to lock down Kodi? Not sure I follow the logic, this code isn't being forced on you... you willing installed the repo/plugin Smile
Image Lunatixz - Kodi / Beta repository
Image PseudoTV - Forum | Website | Youtube | Help?
Reply
(2016-05-04, 09:06)Lunatixz Wrote:
(2016-05-04, 09:01)primaeval Wrote:
(2016-05-04, 06:09)primaeval Wrote: It looks like something positive is happening. The developer that modified the hosts file has taken his addon down, after autodeleting it, ironically, and is talking to someone about it.

Its back with a warning dialog that doesn't seem to work and an aggressive changelog:
Code:
       Warn of HOST EDIT
       REMOVE VIDTIME / SELF KILL
       TRY TELLING ME I CAN'T REMOVE MYSELF!

I'm starting to come round to the majority view here and say lock Kodi down. Sad
Giving people like this access to my hosts file, file system and local network is just too scary.

So instead of not using this guys plugin /repo you want to lock down Kodi? Not sure I follow the logic, this code isn't being forced on you... you willing installed the repo/plugin Smile

In this particular case it is my fault for testing the addon. I wanted to see what the addon war was about.

I am thinking of the average users who get Kodi pre-installed or who follow Youtube videos and don't even know this forum exists. Its like giving a toddler a loaded gun and wondering why someone gets shot in the head.

My idea of a lockdown is what I think you talked about yesterday. Only having this repo allowed to automatically install and update authenticated addons. All others have to be manually installed and updated.

McMCs total lockdown is a bit too far although it looks pretty safe.

Also change Kodi's name every month so nobody can use it as a selling point. Wink
Reply
(2016-05-04, 09:01)primaeval Wrote: I'm starting to come round to the majority view here and say lock Kodi down. Sad
Giving people like this access to my hosts file, file system and local network is just too scary.
Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.
Reply
(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.

Fully agree. Check the source code, if it's obfuscated in any way then the author has something to hide. And I don't agree with any rubbish about wanting to protect their code. That's exactly the opposite of open-source.
Learning Linux the hard way !!
Reply
(2016-05-04, 09:30)black_eagle Wrote:
(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.

Fully agree. Check the source code, if it's obfuscated in any way then the author has something to hide. And I don't agree with any rubbish about wanting to protect their code. That's exactly the opposite of open-source.

The thing is until 17.0 comes out there is no warning that the repo/addon you are adding has any potential dangers. If your wife/kids/parents are using a computer you installed Kodi on, how are they to know what addons are dangerous. Can your wife/girlfriend/mother read Python? I bet a print statement looks obfuscated to them.
Reply
(2016-05-04, 09:35)primaeval Wrote:
(2016-05-04, 09:30)black_eagle Wrote:
(2016-05-04, 09:22)trogggy Wrote: Who's making you do that?
Don't install from sources you don't trust.
Nobody's making you install any add-ons.

Fully agree. Check the source code, if it's obfuscated in any way then the author has something to hide. And I don't agree with any rubbish about wanting to protect their code. That's exactly the opposite of open-source.

The thing is until 17.0 comes out there is no warning that the repo/addon you are adding has any potential dangers. If your wife/kids/parents are using a computer you installed Kodi on, how are they to know what addons are dangerous. Can your wife/girlfriend/mother read Python? I bet a print statement looks obfuscated to them.
Good point. They might accidentally install an add-on from one of the dodgy repo's I use. Because obviously I install loads of repositories from sources I don't trust. And obviously I also tell anyone who uses kodi in my house to just mess about, install any old crap, it won't be a problem etc.
Oh, hang on...
Reply
(2016-05-04, 09:35)primaeval Wrote: The thing is until 17.0 comes out there is no warning that the repo/addon you are adding has any potential dangers. If your wife/kids/parents are using a computer you installed Kodi on, how are they to know what addons are dangerous. Can your wife/girlfriend/mother read Python? I bet a print statement looks obfuscated to them.

No they can't. Which is why I would never install a third-party repo for them to download add-ons from. If they needed anything from a third party, I'd get it in zip form, check it myself and then install from zip.

Look, this is exactly the same as installing software in any operating system. Does anyone really heed the warnings that windows flashes up or do they just blindly click 'yes' and 'install' and then are puzzled as to where these dubious browser toolbars came from ?? Same with Android - some app says it requires root so user roots their device without really understanding what they have just done and installs it.

Whilst I fully understand what a malicious add-on could do, you cannot police people's stupidity and naïvety. It's up to the user to decide whether or not to install something and no matter how many warnings you give and how many hoops you make them jump through to do it, they will still install it.

You can't have freedom of choice in a closed eco-system. Kodi offers a lot of freedom to do with it as you want and I personally don't want that to change because of a minority of idiots.
Learning Linux the hard way !!
Reply
  • 1
  • 5
  • 6
  • 7(current)
  • 8
  • 9
  • 12

Logout Mark Read Team Forum Stats Members Help
Addons that delete competitor's addons2