We have been delivering our software AOT compiled for a more than a year roughly. We never disabled read-eval...
We are sending messages serialized in Clojure on our message bus in our next release instead of serializing with Yaml. We do however encrypt it and most of that traffic is concealed within the cluster's private network. We also work on embedding a REPL on our processes. But all of this has to be secured somehow obviously. Like anything else (SQL, ...) to prevent code injection. Disabling read-eval in the back-end is drastic and effectively tosses away significant advantages of using Clojure. The ability to monitor/debug/apply patches are becoming critical to us. We want to use Clojure for these things instead of introducing other tools (JMX, ...). ClojureScript runs in a specific context that brings some challenges restrictions (less control on security, resource constraints, mobile apps,...) Not having read-eval in this context is acceptable for a number of very good reasons as Rich explained. But this does not mean that this recipe should be applied wall to wall to all Clojure implementations. Luc P. On Sun, 24 Jul 2011 00:12:02 +1200 Mark Derricutt <m...@talios.com> wrote: > ...and the moment I hit send I remembered that in a language like > clojure - read/eval is the only way to get code in the running > system, unless you're using AOT classes and turning that off would be > essentially turning off clojure. > > On 24/07/2011, at 12:04 AM, Mark Derricutt wrote: > > > IMHO *read-eval* should ONLY ever be true -IF- you're using a > > REPL. Having that on by default feels very insecure. > -- Luc P. ================ The rabid Muppet -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
