A poll about digital trusting

[TsT]

I don't want keep a insecured love until the final released.
I don't want waiting about rude to implement all the security features that I want, because I'm sure he has enougth thing to do about engine/graphics/physics/...

I think of course love (in C++) must provide some security features, like the sandbox. And it's already done, it's good.

I don't want that; it's disruptive and most Windows firewalls already do it. The end result will be users clicking through two approval dialogs. This seems like a complicated solution for a problem that has already been solved.

But I'm not running over Windows. I want something better than Windows firewall

Using a trust system is a good solution to never have a repetitive boring dialog box.
But the trust system is only usefull if the most of library authors use it and provide the digital signature.

I just want more control, to see what love do, and allow and deny what I want.
The real solution is probably both in C++and lua.

Require released games with custom libraries to provide the library source and a md5 hash.

md5sum is simple way to trust (more easy, less powerfull).
But you don't catch the case of :
- download a code
- loading it

You can load it by using loadstring, or by writing to a file and loading with require/package or with love.filesystem.* ... and maybe by other solutions.
In the final version is it really a good idea to disable the loadstring/require/package lua functions ?
each dangerous function as unfortunately often real usefull usage...
I think it's more complicated but better to have the choice.

Regards,

[bartbes]

Disabling require is just... insane, I can agree about package, but loadstring is always useful. In a way I think you're asking too much, you can't limit the developers too much, or the users (of the game, not LÖVE). If you're so paranoid then read the source, and if it downloads something, check what it downloads, but don't try and hold everyone back from creating anything.

[subrime]

Love is for building applications.

If you worry about applications downloading and running code you trust or approve, you should be running all your applications on a vm (not just love) with restricted network access.

[TsT]

(1) Disabling require is just... insane,
(2) I can agree about package, but loadstring is always useful.
(3) In a way I think you're asking too much, you can't limit the developers too much, or the users (of the game, not LÖVE).
(4) If you're so paranoid then read the source, and if it downloads something, check what it downloads, but don't try and hold everyone back from creating anything.

1) I'm agree, but I need to find a way to deny the load of some specific packages.
For exemple, about the os package, I'm trying to :
- load it (ok, love already load it)
- remove the dangerous function like os.remove() and os.execute() or
- backup them in a safe place to control their uses.
- most of all, found a way to deny the use of require to reload os
I don't want disable os completely because os.time() can be use without danger.

2) of course loadstring is useful, and can be use to do good things. but it's also the most simple way to run malicious downloaded data.

3) I don't want limit people, just find technical solution to allow paranoid people (like me) the limit them-self. For now it's not easy or not possible.

4) But I already try to read the source ... but it's boring, and I'm still a beginner in love, I'm not sure to understand every what I read.
And I prefer be able to run game and think "in the worst case, it can not be something dangerous".
And I can tell you, where can I read the source of LUBE-X ? before running it (when you only provide the binary version)
I don't blame you, it just a sample to show that is not always possible, and not often simple.

(1)Love is for building applications.
(2)If you worry about applications downloading and running code you trust or approve, you should be running all your applications on a vm (not just love) with restricted network access.

1) I'm maybe not agree with you, Love is for building game, application and everyelse we want.
a) Creating a application is make .love file with your game inside and include the love binary, rename the result to mygame.exe and allow to run this file.
b) Creating a game is just make a .love file you game inside, and run it with your Love application.
c) Creating a love game that can be use to help us to check/develop/debug their games and improve security...

In the first case (a) yes of course if I want security, I can really trust the binary (.exe) part... So I'm must use some antivirus, firewall, ... and/or virtual machine.
But virtual machine is not very easy to have good performance and 3d acceleration...

Regards,

[bartbes]

And I can tell you, where can I read the source of LUBE-X ? before running it (when you only provide the binary version)

That's one hell of an example.. first of all it's a development version of LUBE, so it makes sense I wanted to prevent people from using it, but then.. it wasn't meant for people who wanted to be secure, it was for those bleeding-edge users. Anyway, if you only check it's version number you'll see it's useless now.