Skip to main content

On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Considering how many people nowadays install software with `curl ... | bash` and consider that normal, I wouldn't trust those who say "your regular apps can already do anything" as if that's an excuse. It's not. It's often very problematic, just not an easy problem to solve in a general way without also making all your software toy-like. Android tried... yet somehow the Play Store is infamously full of malware, while F-Droid only avoids that because each and every app there is audited by a human being.

As a compromise, the stand-alone lilt interpreter could be given free reign if it doesn't have such already, since in principle you have to know what you're doing to use it at all. And Decker itself could have a flag to disable the sandbox, if it's not too much work.

(+1)

Lilt does have free reign, since this is the normal expectation for a command-line scripting language interpreter.

For Decker itself, everything potentially hazardous would definitely be packaged in an interface (sort of like rtext, sys, or app) so that decks can easily test for its presence or absence. Beyond this, there are several possibilities:

  • Add a checkbox to the Decker menu that can enable or disable access at any time. Applications can whine at the user to check the box, but are powerless to modify the setting themselves. This is pretty annoying for users.
  • Provide a function that must be called to enable access, which would prompt a user once (per deck-opened) to manually confirm. Still annoying, but less so than the above.
  • Offer users esoteric rituals to opt into hazards: for example, creating a "lock-file" with a specific name relative to the decker executable and/or providing Decker with a command-line flag at startup. This has extremely low discoverability and so would be used only by experts, but would pose minimal annoyance to said experts. The major downside is that this would naturally have granularity for an entire work session, rather than scoping access to a specific deck.
  • Instead, offer users similar esoteric rituals to opt-out, instead of opt-in.
  • Offer a compile-time flag for including the hazardous interface. Similar to the above, but higher barriers to entry. A number of fancy IO features would be a lot easier to offer if I only had to do so for POSIX operating systems, and this would be a convenient way to avoid dealing with any of this stuff on Windows.
  • Offer a compile-time flag for excluding the hazardous interface. A bare minimum affordance to the privacy/security conscious desktop user.

Yep, there's no good solution. It sucks no matter what.

I feel like none of these solutions are mutually exclusive, necessarily. Like, for the default provided builds, you could have a checkbox in the menu to enable the functionality AND have an esoteric way to default it on AND have the ability to make custom builds that enable it. So then the regular Decker user has the ability to turn on the functionality but only by doing so intentionally, and then if someone wants to use these features in a more neatly packaged up type project, it's on them to ship a custom build and then for the end user it's no different as a potential threat vector to downloading any other random software online. I think this kind of mix could make things workable