Jason Grout <jason-s...@creativetrax.com> writes: > On 3/1/12 4:19 AM, Jeroen Demeyer wrote: >> On 2012-02-29 22:56, Jan Groenewald wrote: >>> Sage now has to watch the security updates for each component. >> Sage is totally insecure and watching security updates isn't going to >> solve this problem. >> > > Can you elaborate, Jeroen, just so that communication is clear by what > you mean by "totally insecure"? > > Jason
For one thing, we don't seem to have any well-documented way to run a Sage server that will be accessed by someone else, which would be a major benefit of Sage over its "competitors". The "obvious thing" that a user would do is probably to bind the Sage notebook server to an outward facing network interface and leave it at that, which is of course catastrophically insecure. Even setting up a server pool by creating a jailed account and telling sagenb to login to localhost as the jailed user, which a more canny user might think to do, is not as secure as it could be. As I pointed out a while ago on some thread or other, it seems to be possible for any user of sagenb.org to just run `killall python` from the notebook and abort everyone's computations. But maybe this kind of passive insecurity (that requires the user to do something unwise) is not what Jeroen is talking about. I'm not sure. -Keshav ---- Join us in #sagemath on irc.freenode.net ! -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
