MobileRead Forums - View Single Post

KevinH · 06-07-2019, 10:14 AM

BTW, fwiw any system that allows python2 or python3 py files, Perl, or scripting of any sort really, to be run can in no way be secured unless you either trust the authors of the code or eyeball every line of code yourself. This is true of any program but interpreted scripts that are jit compiled can not really be properly code-signed. This includes Sigil’s plugins, Calibre, anything using JavaScript if it can write to the local file system, etc.

This is always a good reason to run anything new or untrusted on a burner non-admin account or in well sandboxed virtual machine first.

Having had a research machine root-kitted over 25 years ago has made me very paranoid!

06-07-2019, 10:14 AM	#9
KevinH Sigil Developer Posts: 8,893 Karma: 6120478 Join Date: Nov 2009 Device: many	BTW, fwiw any system that allows python2 or python3 py files, Perl, or scripting of any sort really, to be run can in no way be secured unless you either trust the authors of the code or eyeball every line of code yourself. This is true of any program but interpreted scripts that are jit compiled can not really be properly code-signed. This includes Sigil’s plugins, Calibre, anything using JavaScript if it can write to the local file system, etc. This is always a good reason to run anything new or untrusted on a burner non-admin account or in well sandboxed virtual machine first. Having had a research machine root-kitted over 25 years ago has made me very paranoid!