[MUD-Dev] Scripting languages

[Mark 'Kamikaze' Hughes]

Sat, Jun 28, 2003 at 11:21:52PM -0400 in
<1056856912.811.62.camel at prentice>, Jay Carlson <nop at mitre.org>
spake:
> On Fri, 2003-06-27 at 13:49, Ling Lo wrote:
>> Mark 'Kamikaze' Hughes wrote:

>>> While it's working the other way around, using a scripting
>>> language for the entire MUD, the very badly-named POO (Pythonic
>>> MOO) is a nice engine, and fairly small--an earlier version I
>>> have somewhere around here is even smaller, and still provided
>>> all the necessary MUD services.

>> Python supplies an awful lot of handy default libraries which tend
>> to make the code fairly small.

> ...most of which can't be used without a security audit, if you
> don't have full trust in people writing code.  The mutability of
> basic Python data types is just the beginning.

That's partially true, but hasn't been a significant problem with
Zope, for instance.  Zope's restricted sandbox environment is,
AFAIK, completely secure; there have been security alerts and fixes,
but no major exploitation of them.  There's also currently work on a
new general sandbox environment for Python, since rexec had
problems.

There are security and malware questions in using *any*
general-purpose programming language for scripting; if you can't
violate security or create an infinite loop within the language
proper, you can overrun buffers, or find some other abuse.  There
have been known security holes in Lua, as well.

And on the gripping hand, it doesn't matter, because the only people
you'll normally allow to write full scripting code *are* trusted
admins.  The MUDs where this is not the case are fairly unusual, and
already have their own scripting languages.

--
 <a href="http://kuoi.asui.uidaho.edu/~kamikaze/"> Mark Hughes </a>
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev