Discover MakerZone

MATLAB and Simulink resources for Arduino, LEGO, and Raspberry Pi

Learn more

Discover what MATLAB® can do for your career.

Opportunities for recent engineering grads.

Apply Today

Thread Subject:
Official rules for the FEX

Subject: Official rules for the FEX

From: Jan Simon

Date: 19 Dec, 2009 12:36:03

Message: 1 of 22

Dear all!

Where can I find the offical rules for publishing files on the FileExchange?

If I open the page for submitting a new file ( http://www.mathworks.com/matlabcentral/fileexchange/new ), I find these messages:
  "Compiled files must be accompanied by their source."
  "(Non-transparent GIF, non-animated, JPG, or PNG less than 600px wide)"

Currently compiled files are not accepted at all - but this has changed frequently in the last years. I'm sure that there are good reasons for this and I hope, that TMW could explain them to me/us.
Transparent and animated GIFs *are* accepted - I'm definitely happy about that, because animated GIFs are the best way to explain animations created by the published file. I can also find pictures larger than 600px in the FEX...

I asked the FEX moderators files@mathworks.com for some clear guidelines some months ago, but I did not get an answer or find concering changes on the web pages yet.

In the "Guidelines for New Submissions" ( http://www.mathworks.com/matlabcentral/fileexchange/help_newsubmissions ) I find:
  "The Submission must not directly compete with products offered by The MathWorks or its partners."
I've published a patch for FILTFILT, which directly competes with Matlab's original FILTFILT. Of course I offered the patch (and a bunch of others) at first to the MathWorks support team, but I did not get any reaction from the developers for 6 months. I asked files@mathworks.com, if I'm allowed to publish the patch, and I think it is an answer, that the file is in the FEX...

Please, TMW, would it be possible to update the instructions for publishing files?
Could somebody clear my question, if it is allowed to publish a function, which improves performance or stability of a Matlab function, if the developpers are not showing any interest? Or does this concern the "not directly compete" paragraph? I do not want to get or make troubles, when I try to improve the performance of your product.

Kind regards, Jan

See also: http://www.mathworks.com/matlabcentral/newsreader/view_thread/248955#655541

Subject: Official rules for the FEX

From: Jos (10584)

Date: 19 Dec, 2009 14:39:03

Message: 2 of 22

"Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote in message <hgihbj$3k$1@fred.mathworks.com>...
> Dear all!
>
> Where can I find the offical rules for publishing files on the FileExchange?
>
> If I open the page for submitting a new file ( http://www.mathworks.com/matlabcentral/fileexchange/new ), I find these messages:
> "Compiled files must be accompanied by their source."
> "(Non-transparent GIF, non-animated, JPG, or PNG less than 600px wide)"
>
> Currently compiled files are not accepted at all - but this has changed frequently in the last years. I'm sure that there are good reasons for this and I hope, that TMW could explain them to me/us.
> Transparent and animated GIFs *are* accepted - I'm definitely happy about that, because animated GIFs are the best way to explain animations created by the published file. I can also find pictures larger than 600px in the FEX...
>
> I asked the FEX moderators files@mathworks.com for some clear guidelines some months ago, but I did not get an answer or find concering changes on the web pages yet.
>
> In the "Guidelines for New Submissions" ( http://www.mathworks.com/matlabcentral/fileexchange/help_newsubmissions ) I find:
> "The Submission must not directly compete with products offered by The MathWorks or its partners."
> I've published a patch for FILTFILT, which directly competes with Matlab's original FILTFILT. Of course I offered the patch (and a bunch of others) at first to the MathWorks support team, but I did not get any reaction from the developers for 6 months. I asked files@mathworks.com, if I'm allowed to publish the patch, and I think it is an answer, that the file is in the FEX...
>
> Please, TMW, would it be possible to update the instructions for publishing files?
> Could somebody clear my question, if it is allowed to publish a function, which improves performance or stability of a Matlab function, if the developpers are not showing any interest? Or does this concern the "not directly compete" paragraph? I do not want to get or make troubles, when I try to improve the performance of your product.
>
> Kind regards, Jan
>
> See also: http://www.mathworks.com/matlabcentral/newsreader/view_thread/248955#655541

Dear Jan,

Your experience is one of the many showing that TMW is quite reluctant to make any official rules, criteria and/or restrictions for publications on the FEX. In the present situation, they reserve the right to remove anything from the FEX, or use it to improve their own product. Remember that MatLab is a commercial product after all!

Jos

Subject: Official rules for the FEX

From: Thomas Clark

Date: 19 Dec, 2009 16:02:04

Message: 3 of 22

Jos,

You're right of course. But, it would still be useful to have guidelines for what we literally can and can't upload (e.g. types of files).

I went to all the trouble of preparing one the other day, which included a fortran MEX file - useless for anyone without a decent Fortran compiler - and was told I could only post source code.

If those are the rules, then OK (I disagree with them, but that's another topic)... but we need to know them. If I keep getting FEx submissions refused, I'll stop posting.

Tom

Subject: Official rules for the FEX

From: Jan Simon

Date: 19 Dec, 2009 22:57:02

Message: 4 of 22

Dear Jos!

> Your experience is one of the many showing that TMW is quite reluctant to make any official rules, criteria and/or restrictions for publications on the FEX. In the present situation, they reserve the right to remove anything from the FEX, or use it to improve their own product. Remember that MatLab is a commercial product after all!
> Jos

I do remember, that Matlab is a commercial product - I have payed for it.
I do see, that TMW is really interested in the user community - I even got a mail contact after I've described some problems here and the local distributor for Germany called me by phone at 5.30 pm on a Friday to inform me about the zero-bug initiative.
But on the other hand I see, that nobody seems to be responsible for valid informations on the web-page for submitting FEX files. This does not look very professional.
I get the impression, that the internal structures between the developers, the support and the web editorial staff have a great potential for improvements. Perhaps some synergistic effects...

It is clear, that TMW can delete and use submissions of the FEX. As far as I understood, the need of BSD licenses was not introduced to support the rights of the authors, but the rights of TMW. And I think, they are welcome: improvements of *their* product are improvements of the product *I* buy.

Thanks Jos! Your hint, that Matlab is a commercial product reinforces my hope to get an answer from TMW team. Jan

Subject: Official rules for the FEX

From: Doug Schwarz

Date: 20 Dec, 2009 01:29:28

Message: 5 of 22

In article <hgjlnu$qho$1@fred.mathworks.com>,
 "Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote:

> Dear Jos!
>
> > Your experience is one of the many showing that TMW is quite reluctant to
> > make any official rules, criteria and/or restrictions for publications on
> > the FEX. In the present situation, they reserve the right to remove
> > anything from the FEX, or use it to improve their own product. Remember
> > that MatLab is a commercial product after all!
> > Jos
>
> I do remember, that Matlab is a commercial product - I have payed for it.
> I do see, that TMW is really interested in the user community - I even got a
> mail contact after I've described some problems here and the local
> distributor for Germany called me by phone at 5.30 pm on a Friday to inform
> me about the zero-bug initiative.
> But on the other hand I see, that nobody seems to be responsible for valid
> informations on the web-page for submitting FEX files. This does not look
> very professional.
> I get the impression, that the internal structures between the developers,
> the support and the web editorial staff have a great potential for
> improvements. Perhaps some synergistic effects...
>
> It is clear, that TMW can delete and use submissions of the FEX. As far as I
> understood, the need of BSD licenses was not introduced to support the rights
> of the authors, but the rights of TMW. And I think, they are welcome:
> improvements of *their* product are improvements of the product *I* buy.
>
> Thanks Jos! Your hint, that Matlab is a commercial product reinforces my hope
> to get an answer from TMW team. Jan


Some months ago I was contacted by a MathWorks developer. He wanted to
know if I would permit them to distribute one of my FEX functions with a
toolbox as an internal helper function. The terms were, "Your
contribution will be fully acknowledged in the helper function and the
MathWorks Inc. will own the copyright of the helper function."

My view is that these terms would mean that I no longer had complete
control over my function so I turned them down with regrets and he was
completely understanding of my view.

It was about one month later that they started requiring the BSD
license. I was glad to comply and then contacted that developer and
told him that I no longer had any objection to the use of my function
since I would be able to retain ownership of it.

That function has *not* been deleted from the FEX and I am completely
satisfied with the resolution.

--
Doug Schwarz
dmschwarz&ieee,org
Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Doug Schwarz

Date: 20 Dec, 2009 01:34:39

Message: 6 of 22

In article <hgitds$5i8$1@fred.mathworks.com>,
 "Thomas Clark" <t.clark@remove.spamcantab.net> wrote:

> Jos,
>
> You're right of course. But, it would still be useful to have guidelines for
> what we literally can and can't upload (e.g. types of files).
>
> I went to all the trouble of preparing one the other day, which included a
> fortran MEX file - useless for anyone without a decent Fortran compiler - and
> was told I could only post source code.
>
> If those are the rules, then OK (I disagree with them, but that's another
> topic)... but we need to know them. If I keep getting FEx submissions
> refused, I'll stop posting.
>
> Tom

Tom,

There is nothing stopping you from providing the compiled MEX file on
some other web site with a pointer to that web site in the source code
which you upload to the FEX. I hope you realize that TMW does not want
to be held liable in case someone were to upload a malicious MEX
function (with false source code, perhaps). I think the ban on MEX and
p-code is completely justified.

--
Doug Schwarz
dmschwarz&ieee,org
Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Jan Simon

Date: 20 Dec, 2009 15:55:19

Message: 7 of 22

Dear Doug!

> I hope you realize that TMW does not want
> to be held liable in case someone were to upload a malicious MEX
> function (with false source code, perhaps). I think the ban on MEX and
> p-code is completely justified.

Thanks Doug! I do not dissent. Is this your opinion or do you cite TMW?

If TMW could be held reliable for uploaded MEX files, couldn't they be held reliable for uploaded links to malicious MEX also?!
What about malicious M-functions or obfuscated C-source with unpredictable results? The BSD license claims, that the downloaders run all functions on their own risk. Isn't this a suffcient protection for TMW?

I realize that publishing compiled MEX might interfere with some wants of TMW. I have no doubt that TMW has good reasons. But I cannot find clear statements -- except for "Compiled files must be accompanied by their source.", which is the opposite of what they accept in reality.

Kind regards and looking forward to further discussion, Jan

Subject: Official rules for the FEX

From: John D'Errico

Date: 20 Dec, 2009 17:37:02

Message: 8 of 22

"Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote in message <hglhd7$e6g$1@fred.mathworks.com>...
> Dear Doug!
>
> > I hope you realize that TMW does not want
> > to be held liable in case someone were to upload a malicious MEX
> > function (with false source code, perhaps). I think the ban on MEX and
> > p-code is completely justified.
>
> Thanks Doug! I do not dissent. Is this your opinion or do you cite TMW?
>
> If TMW could be held reliable for uploaded MEX files, couldn't they be held reliable for uploaded links to malicious MEX also?!
> What about malicious M-functions or obfuscated C-source with unpredictable results? The BSD license claims, that the downloaders run all functions on their own risk. Isn't this a suffcient protection for TMW?
>
> I realize that publishing compiled MEX might interfere with some wants of TMW. I have no doubt that TMW has good reasons. But I cannot find clear statements -- except for "Compiled files must be accompanied by their source.", which is the opposite of what they accept in reality.
>
> Kind regards and looking forward to further discussion, Jan

As a member of the (essentially defunct) FEX
team who consistently argued against compiled
code on the FEX, my reason has always been of
the risk to downloaders due to malicious code.
You cannot tell me that there will not be
someone willing to do this, and therefore,
someone WILL do it.

How about including compiled code WITH the
source? Even here I see a serious risk. There is
nothing to stop a malicious poster from adding
something malicious to the compiled version.
So submit a completely innocuous piece of
source code, but a nasty compiled version. It
is the same with p-code. If we cannot see inside,
then the submitted code is dangerous and not
acceptable for submission.

As far as simply submitting a link to external
compiled code, the FEX should also not accept
a pure link to compiled code. Of course, one can
always submit something to the link exchange.
And if you provide the source code on the FEX,
plus a link to a compiled version, this is probably
something they cannot police.

John

Subject: Official rules for the FEX

From: Jan Simon

Date: 20 Dec, 2009 19:49:03

Message: 9 of 22

Dear John!

> As a member of the (essentially defunct) FEX
> team who consistently argued against compiled
> code on the FEX, my reason has always been of
> the risk to downloaders due to malicious code.
> You cannot tell me that there will not be
> someone willing to do this, and therefore,
> someone WILL do it.
>
> How about including compiled code WITH the
> source? Even here I see a serious risk. There is
> nothing to stop a malicious poster from adding
> something malicious to the compiled version.
> So submit a completely innocuous piece of
> source code, but a nasty compiled version. It
> is the same with p-code. If we cannot see inside,
> then the submitted code is dangerous and not
> acceptable for submission.
>
> As far as simply submitting a link to external
> compiled code, the FEX should also not accept
> a pure link to compiled code. Of course, one can
> always submit something to the link exchange.
> And if you provide the source code on the FEX,
> plus a link to a compiled version, this is probably
> something they cannot police.
>
> John

Thanks for this clear answer, John!
The MEX question is solved for me with that.

I do not think, that animated or transparent GIFs have been dangerous ever.
It was the TMWs (your) decision to dare to open a platform for publishing at least potentially dangerous M-functions (!) and this is really and totally helpful!

I'm happy, that even TWM cannot read in P-coded files.

I'm wondering what "essentially defunct FEX team" means. I'm convinced that the remainding(?) team can encourage somebody from the WWW team to rectify the page for new submissions and the guidelines.

Kind regards, Jan

Subject: Official rules for the FEX

From: Doug Schwarz

Date: 20 Dec, 2009 21:10:19

Message: 10 of 22

In article <hglhd7$e6g$1@fred.mathworks.com>,
 "Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote:

> Dear Doug!
>
> > I hope you realize that TMW does not want
> > to be held liable in case someone were to upload a malicious MEX
> > function (with false source code, perhaps). I think the ban on MEX and
> > p-code is completely justified.
>
> Thanks Doug! I do not dissent. Is this your opinion or do you cite TMW?

Hi Jan,

I don't think I have ever read any specific reason from TMW, but it's
the most likely reason (in my opinion).


> If TMW could be held reliable for uploaded MEX files, couldn't they be held
> reliable for uploaded links to malicious MEX also?!
> What about malicious M-functions or obfuscated C-source with unpredictable
> results? The BSD license claims, that the downloaders run all functions on
> their own risk. Isn't this a suffcient protection for TMW?

I don't know as I am not a lawyer, but since almost the whole Internet
is linked in some way I think it would be difficult to hold TMW liable
for code that was found on another web site. I'm thinking that the link
on mathworks.com would be to a page which contained download links to
binaries, not direct links to binaries. That way it would be clear to
users that they had left mathworks.com.

Of course, it is possible to have a malicious m-file, but as long as you
can examine that code you can figure out where to place the blame in
case something undesirable happens.

It might be that the BSD license protects TMW. In spite of that
protection, I would guess that TMW simply wants to enable code sharing
while minimizing (but not eliminating) the possibility of distributing
malware. Again, this is just my interpretation of what I have read here.


> I realize that publishing compiled MEX might interfere with some wants of
> TMW. I have no doubt that TMW has good reasons. But I cannot find clear
> statements -- except for "Compiled files must be accompanied by their
> source.", which is the opposite of what they accept in reality.

This whole file sharing concept goes way back to when TMW maintained an
anonymous ftp site and the thought of malware was more remote and
anything was acceptable. Gradually, we have been brought into the
modern age and we are all less naïve about malware so it's not
surprising that you can find mixed policy statements. The only people
who must know the policy are the MathWorkers who decide whether a
submission is accepted since they have final say on the matter. For the
rest of us it's merely a courtesy to inform us of the policy so we don't
waste our time. I tend to apply common sense -- no binaries and no
competing products make sense to me.

Mit freundlichen Grüßen,

Doug

--
Doug Schwarz
dmschwarz&ieee,org
Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: John D'Errico

Date: 20 Dec, 2009 23:09:03

Message: 11 of 22

Doug Schwarz <see@sig.for.address.edu> wrote in message <see-CFD74C.16101920122009@news.frontiernet.net>...

> I don't know as I am not a lawyer, but since almost the whole Internet
> is linked in some way I think it would be difficult to hold TMW liable
> for code that was found on another web site.

I'd suggest that is is more a question of trust than
liability. By a policy of not allowing any potentially
suspect codes, the site becomes more trustworthy.

John

Subject: Official rules for the FEX

From: John D'Errico

Date: 20 Dec, 2009 23:36:04

Message: 12 of 22

"Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote in message <hglv3f$r76$1@fred.mathworks.com>...

> I'm wondering what "essentially defunct FEX team" means. I'm convinced that the remainding(?) team can encourage somebody from the WWW team to rectify the page for new submissions and the guidelines.
>

There are no longer any duties that we serve as a
"team". Yes, we can encourage TMW to do certain
things, but they have their own priorities about how
much they can do. I imagine they will treat any
requests with interest, but still anything will take
time.

John

Subject: Official rules for the FEX

From: Paul

Date: 21 Dec, 2009 00:07:03

Message: 13 of 22

Doug Schwarz <see@sig.for.address.edu> wrote in message <see-CFD74C.16101920122009@news.frontiernet.net>...

> Of course, it is possible to have a malicious m-file, but as long as you
> can examine that code you can figure out where to place the blame in
> case something undesirable happens.

It is very possible to have a malicious m-file, and this is one of the reasons that I'm leary of downloading code from the FEX. I spent a few minutes one day looking through the list of matlab commands (not including any toolboxes) and was extremely surprised at the number of commands that could be used to wreak havoc. The thought of searching through a non-trivial m-file, or set of m-files in the case of a toolbox, for potentially nefarious code seemed daunting. I'm not sure I would even know all of the commands to look for, especially when toolboxes get into the picture.

Do you have a systematic way to "examine that code" to make sure it's safe?

Subject: Official rules for the FEX

From: Matt Fig

Date: 21 Dec, 2009 00:26:03

Message: 14 of 22

I have M-Lint set to make system commands an obnoxious color. Other than looking for system commands, I don't worry too much about it.

Subject: Official rules for the FEX

From: Doug Schwarz

Date: 21 Dec, 2009 00:43:45

Message: 15 of 22

In article <hgme77$7tq$1@fred.mathworks.com>,
 "Paul" <pauldotjackson@jhuapl.edu> wrote:

> Doug Schwarz <see@sig.for.address.edu> wrote in message
> <see-CFD74C.16101920122009@news.frontiernet.net>...
>
> > Of course, it is possible to have a malicious m-file, but as long as you
> > can examine that code you can figure out where to place the blame in
> > case something undesirable happens.
>
> It is very possible to have a malicious m-file, and this is one of the
> reasons that I'm leary of downloading code from the FEX. I spent a few
> minutes one day looking through the list of matlab commands (not including
> any toolboxes) and was extremely surprised at the number of commands that
> could be used to wreak havoc. The thought of searching through a non-trivial
> m-file, or set of m-files in the case of a toolbox, for potentially nefarious
> code seemed daunting. I'm not sure I would even know all of the commands to
> look for, especially when toolboxes get into the picture.
>
> Do you have a systematic way to "examine that code" to make sure it's safe?

Paul,

I would look for any use of system(), unix() or dos() since these are
used to run code in a shell. Also, if any file is opened for writing
that could be suspicious so look for fopen(). The function delete() can
delete files, but it can be used for other things as well so you'd have
to examine its argument. The killer is eval() since it would be easy to
obfuscate its argument to do anything at all.

Of course, there are ways to mess with the MATLAB environment, such as
path() and its variants.

Have I forgotten anything? (Probably.)

The key is to look for things that you don't expect. If the stated
description of the function doesn't mention reading or writing files
then an fopen() would be suspicious, etc.

I don't actually download from the FEX much, but I have gotten to know
and trust some authors. For example, I trust anything by John D'Errico
since I know him personally (we used to work together at Kodak) and
certainly Urs Schwarz (aka "us") is trustworthy (we are not related)
just to name two, but there are many others. Generally, if a file has a
lot of favorable reviews it's unlikely to harbor malware as surely it
would have been discovered eventually. I've noticed that many MATLAB
users are pretty smart. ;-)

As far as I know, there have been no malware incidents on the FEX at
all, but there's a first time for everything.

--
Doug Schwarz
dmschwarz&ieee,org
Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Jan Simon

Date: 21 Dec, 2009 09:11:04

Message: 16 of 22

Dear Doug, dear Paul!

> Of course, there are ways to mess with the MATLAB environment, such as
> path() and its variants.

A nice description for this:
http://www.mathworks.com/matlabcentral/newsreader/view_thread/268380
I think, the Matlab's PATHTOOL was the malicious program in this case.

> Doug wrote:
> Have I forgotten anything? (Probably.)

BINPATCH involves an FOPEN also.
Setting the FORMAT pemanently to 'hex' in the defaults - not dangerous, but anoying for the non-expert users.
But I did not start this thread to reduce the degree of usefulness of the FEX...

Kind regards, Jan

Subject: Official rules for the FEX

From: Thomas Clark

Date: 21 Dec, 2009 11:05:06

Message: 17 of 22

As the original 'moaner' about compiled MEX files I should follow up on the discussion!

I didn't mean to have a whinge about that problem in particular - I used the case to highlight that the guidelines clearly have not been updated to reflect what is and isn't allowed.

As Jan points out, the guidelines state that compiled files should be included with their source code - but compiled files evidently aren't allowed at all. I've no (big) problem with the rules themselves - I'd just like to know what they are!

--

Re. the specific issue of compiled MEX files, I accept TMW's treatment of the problem, which is one sensible way of decreasing the risk. It's still actually my view that we should allow them (with source) to be used at the downloader's risk - but we've had this conversation in the past, and a decision has been made by TMW.

Subject: Official rules for the FEX

From: Doug Schwarz

Date: 21 Dec, 2009 12:48:35

Message: 18 of 22

In article <hgnkp2$7lf$1@fred.mathworks.com>,
 "Thomas Clark" <t.clark@remove.spamcantab.net> wrote:

> As the original 'moaner' about compiled MEX files I should follow up on the
> discussion!
>
> I didn't mean to have a whinge about that problem in particular - I used the
> case to highlight that the guidelines clearly have not been updated to
> reflect what is and isn't allowed.
>
> As Jan points out, the guidelines state that compiled files should be
> included with their source code - but compiled files evidently aren't allowed
> at all. I've no (big) problem with the rules themselves - I'd just like to
> know what they are!
>
> --
>
> Re. the specific issue of compiled MEX files, I accept TMW's treatment of the
> problem, which is one sensible way of decreasing the risk. It's still
> actually my view that we should allow them (with source) to be used at the
> downloader's risk - but we've had this conversation in the past, and a
> decision has been made by TMW.


Point taken and I agree completely. The rules should be made more clear.

Had this been an ordinary online forum the discussion would have
degenerated by now into name calling, veiled threats (if not outright)
and vulgar language. Here, we are reasoning adults who can discuss
issues in a civilized manner. I love this newsgroup.

Best wishes for the Holidays to all!

Doug

--
Doug Schwarz
dmschwarz&ieee,org
Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Thomas Clark

Date: 21 Dec, 2009 13:16:04

Message: 19 of 22

Doug,

I'll second that ;)

Happy holidays all...

Tom




Doug Schwarz <see@sig.for.address.edu> wrote in message <see-8C7C44.07483521122009@news.frontiernet.net>...
> In article <hgnkp2$7lf$1@fred.mathworks.com>,
> "Thomas Clark" <t.clark@remove.spamcantab.net> wrote:
>
> > As the original 'moaner' about compiled MEX files I should follow up on the
> > discussion!
> >
> > I didn't mean to have a whinge about that problem in particular - I used the
> > case to highlight that the guidelines clearly have not been updated to
> > reflect what is and isn't allowed.
> >
> > As Jan points out, the guidelines state that compiled files should be
> > included with their source code - but compiled files evidently aren't allowed
> > at all. I've no (big) problem with the rules themselves - I'd just like to
> > know what they are!
> >
> > --
> >
> > Re. the specific issue of compiled MEX files, I accept TMW's treatment of the
> > problem, which is one sensible way of decreasing the risk. It's still
> > actually my view that we should allow them (with source) to be used at the
> > downloader's risk - but we've had this conversation in the past, and a
> > decision has been made by TMW.
>
>
> Point taken and I agree completely. The rules should be made more clear.
>
> Had this been an ordinary online forum the discussion would have
> degenerated by now into name calling, veiled threats (if not outright)
> and vulgar language. Here, we are reasoning adults who can discuss
> issues in a civilized manner. I love this newsgroup.
>
> Best wishes for the Holidays to all!
>
> Doug
>
> --
> Doug Schwarz
> dmschwarz&ieee,org
> Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Thomas Clark

Date: 21 Dec, 2009 13:19:04

Message: 20 of 22

Doug,

I'll second that ;)

Happy holidays all...

Tom




Doug Schwarz <see@sig.for.address.edu> wrote in message <see-8C7C44.07483521122009@news.frontiernet.net>...
> In article <hgnkp2$7lf$1@fred.mathworks.com>,
> "Thomas Clark" <t.clark@remove.spamcantab.net> wrote:
>
> > As the original 'moaner' about compiled MEX files I should follow up on the
> > discussion!
> >
> > I didn't mean to have a whinge about that problem in particular - I used the
> > case to highlight that the guidelines clearly have not been updated to
> > reflect what is and isn't allowed.
> >
> > As Jan points out, the guidelines state that compiled files should be
> > included with their source code - but compiled files evidently aren't allowed
> > at all. I've no (big) problem with the rules themselves - I'd just like to
> > know what they are!
> >
> > --
> >
> > Re. the specific issue of compiled MEX files, I accept TMW's treatment of the
> > problem, which is one sensible way of decreasing the risk. It's still
> > actually my view that we should allow them (with source) to be used at the
> > downloader's risk - but we've had this conversation in the past, and a
> > decision has been made by TMW.
>
>
> Point taken and I agree completely. The rules should be made more clear.
>
> Had this been an ordinary online forum the discussion would have
> degenerated by now into name calling, veiled threats (if not outright)
> and vulgar language. Here, we are reasoning adults who can discuss
> issues in a civilized manner. I love this newsgroup.
>
> Best wishes for the Holidays to all!
>
> Doug
>
> --
> Doug Schwarz
> dmschwarz&ieee,org
> Make obvious changes to get real email address.

Subject: Official rules for the FEX

From: Paul

Date: 22 Dec, 2009 20:05:20

Message: 21 of 22

Doug Schwarz <see@sig.for.address.edu> wrote in message <see-1256A7.19434520122009@news.frontiernet.net>...
> In article <hgme77$7tq$1@fred.mathworks.com>,
> "Paul" <pauldotjackson@jhuapl.edu> wrote:
>
> > Doug Schwarz <see@sig.for.address.edu> wrote in message
> > <see-CFD74C.16101920122009@news.frontiernet.net>...
> >
> > > Of course, it is possible to have a malicious m-file, but as long as you
> > > can examine that code you can figure out where to place the blame in
> > > case something undesirable happens.
> >
> > It is very possible to have a malicious m-file, and this is one of the
> > reasons that I'm leary of downloading code from the FEX. I spent a few
> > minutes one day looking through the list of matlab commands (not including
> > any toolboxes) and was extremely surprised at the number of commands that
> > could be used to wreak havoc. The thought of searching through a non-trivial
> > m-file, or set of m-files in the case of a toolbox, for potentially nefarious
> > code seemed daunting. I'm not sure I would even know all of the commands to
> > look for, especially when toolboxes get into the picture.
> >
> > Do you have a systematic way to "examine that code" to make sure it's safe?
>
> Paul,
>
> I would look for any use of system(), unix() or dos() since these are
> used to run code in a shell. Also, if any file is opened for writing
> that could be suspicious so look for fopen(). The function delete() can
> delete files, but it can be used for other things as well so you'd have
> to examine its argument. The killer is eval() since it would be easy to
> obfuscate its argument to do anything at all.
>
> Of course, there are ways to mess with the MATLAB environment, such as
> path() and its variants.
>
> Have I forgotten anything? (Probably.)
>
> The key is to look for things that you don't expect. If the stated
> description of the function doesn't mention reading or writing files
> then an fopen() would be suspicious, etc.
>
> I don't actually download from the FEX much, but I have gotten to know
> and trust some authors. For example, I trust anything by John D'Errico
> since I know him personally (we used to work together at Kodak) and
> certainly Urs Schwarz (aka "us") is trustworthy (we are not related)
> just to name two, but there are many others. Generally, if a file has a
> lot of favorable reviews it's unlikely to harbor malware as surely it
> would have been discovered eventually. I've noticed that many MATLAB
> users are pretty smart. ;-)
>
> As far as I know, there have been no malware incidents on the FEX at
> all, but there's a first time for everything.
>
> --
> Doug Schwarz
> dmschwarz&ieee,org
> Make obvious changes to get real email address.

Doug,

I think the list above is a reasonable start, but far from comprehensive. Take a look through all of the Matlab functions by category; I'm curious if you see as many as I do that would raise a red flag. And that doesn't even include toolboxes and External Interfaces. I could probably set up m-lint for a dirty word search, but I'm not even sure of all of the dirty words. Your point about looking for lots of favorable reviews is a good one, but I don't think that would raise my comfort level high enough. Perhaps I'm more paranoid than most.

Paul

Subject: Official rules for the FEX

From: Tommy

Date: 21 Mar, 2010 07:14:07

Message: 22 of 22

Doug Schwarz <see@sig.for.address.edu> wrote in message <see-CFD74C.16101920122009@news.frontiernet.net>...
> In article <hglhd7$e6g$1@fred.mathworks.com>,
> "Jan Simon" <matlab.THIS_YEAR@nMINUSsimon.de> wrote:
>
> > Dear Doug!
> >
> > > I hope you realize that TMW does not want
> > > to be held liable in case someone were to upload a malicious MEX
> > > function (with false source code, perhaps). I think the ban on MEX and
> > > p-code is completely justified.
> >
> > Thanks Doug! I do not dissent. Is this your opinion or do you cite TMW?
>
> Hi Jan,
>
> I don't think I have ever read any specific reason from TMW, but it's
> the most likely reason (in my opinion).
>
>
> > If TMW could be held reliable for uploaded MEX files, couldn't they be held
> > reliable for uploaded links to malicious MEX also?!
> > What about malicious M-functions or obfuscated C-source with unpredictable
> > results? The BSD license claims, that the downloaders run all functions on
> > their own risk. Isn't this a suffcient protection for TMW?
http://www.wikio.com/article/bad-credit-payday-loans-176415445
> I don't know as I am not a lawyer, but since almost the whole Internet
> is linked in some way I think it would be difficult to hold TMW liable
> for code that was found on another web site. I'm thinking that the link
> on mathworks.com would be to a page which contained download links to
> binaries, not direct links to binaries. That way it would be clear to
> users that they had left mathworks.com.
>
> Of course, it is possible to have a malicious m-file, but as long as you
> can examine that code you can figure out where to place the blame in
> case something undesirable happens.
>
> It might be that the BSD license protects TMW. In spite of that
> protection, I would guess that TMW simply wants to enable code sharing
> while minimizing (but not eliminating) the possibility of distributing
> malware. Again, this is just my interpretation of what I have read here.
>
>
> > I realize that publishing compiled MEX might interfere with some wants of
> > TMW. I have no doubt that TMW has good reasons. But I cannot find clear
> > statements -- except for "Compiled files must be accompanied by their
> > source.", which is the opposite of what they accept in reality.
>
> This whole file sharing concept goes way back to when TMW maintained an
> anonymous ftp site and the thought of malware was more remote and
> anything was acceptable. Gradually, we have been brought into the
> modern age and we are all less naïve about malware so it's not
> surprising that you can find mixed policy statements. The only people
> who must know the policy are the MathWorkers who decide whether a
> submission is accepted since they have final say on the matter. For the
> rest of us it's merely a courtesy to inform us of the policy so we don't
> waste our time. I tend to apply common sense -- no binaries and no
> competing products make sense to me.
>
> Mit freundlichen Grüßen,
>
> Doug
>
> --
> Doug Schwarz
> dmschwarz&ieee,org
> Make obvious changes to get real email address.

Tags for this Thread

No tags are associated with this thread.

What are tags?

A tag is like a keyword or category label associated with each thread. Tags make it easier for you to find threads of interest.

Anyone can tag a thread. Tags are public and visible to everyone.

Contact us