Path: news.mathworks.com!not-for-mail
From: "John D'Errico" <woodchips@rochester.rr.com>
Newsgroups: comp.soft-sys.matlab
Subject: Re: Official rules for the FEX
Date: Sun, 20 Dec 2009 17:37:02 +0000 (UTC)
Organization: John D'Errico (1-3LEW5R)
Lines: 44
Message-ID: <hglnbu$d7t$1@fred.mathworks.com>
References: <hgihbj$3k$1@fred.mathworks.com> <hgitds$5i8$1@fred.mathworks.com> <see-0EF830.20343919122009@news.frontiernet.net> <hglhd7$e6g$1@fred.mathworks.com>
Reply-To: "John D'Errico" <woodchips@rochester.rr.com>
NNTP-Posting-Host: webapp-02-blr.mathworks.com
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: fred.mathworks.com 1261330622 13565 172.30.248.37 (20 Dec 2009 17:37:02 GMT)
X-Complaints-To: news@mathworks.com
NNTP-Posting-Date: Sun, 20 Dec 2009 17:37:02 +0000 (UTC)
X-Newsreader: MATLAB Central Newsreader 869215
Xref: news.mathworks.com comp.soft-sys.matlab:593971

"Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote in message <hglhd7$e6g$1@fred.mathworks.com>...
> Dear Doug!
> 
> > I hope you realize that TMW does not want 
> > to be held liable in case someone were to upload a malicious MEX 
> > function (with false source code, perhaps).  I think the ban on MEX and 
> > p-code is completely justified.
> 
> Thanks Doug! I do not dissent. Is this your opinion or do you cite TMW?
> 
> If TMW could be held reliable for uploaded MEX files, couldn't they be held reliable for uploaded links to malicious MEX also?!
> What about malicious M-functions or obfuscated C-source with unpredictable results? The BSD license claims, that the downloaders run all functions on their own risk. Isn't this a suffcient protection for TMW?
> 
> I realize that publishing compiled MEX might interfere with some wants of TMW. I have no doubt that TMW has good reasons. But I cannot find clear statements -- except for "Compiled files must be accompanied by their source.", which is the opposite of what they accept in reality.
> 
> Kind regards and looking forward to further discussion, Jan

As a member of the (essentially defunct) FEX
team who consistently argued against compiled
code on the FEX, my reason has always been of
the risk to downloaders due to malicious code.
You cannot tell me that there will not be
someone willing to do this, and therefore,
someone WILL do it.

How about including compiled code WITH the
source? Even here I see a serious risk. There is
nothing to stop a malicious poster from adding
something malicious to the compiled version.
So submit a completely innocuous piece of
source code, but a nasty compiled version. It
is the same with p-code. If we cannot see inside,
then the submitted code is dangerous and not
acceptable for submission.

As far as simply submitting a link to external
compiled code, the FEX should also not accept
a pure link to compiled code. Of course, one can
always submit something to the link exchange.
And if you provide the source code on the FEX,
plus a link to a compiled version, this is probably
something they cannot police.

John