[Tizen Application-dev] Executing shell command

Pierce, Dean E dean.e.pierce at intel.com
Mon Apr 2 08:47:15 GMT 2012


The problem with the citizenship debate is the assumption that
"native" apps are inherently more powerful than "interpreted" apps,
when this should really be seen more as a separation of powers.  For
example, if it isn't running in a webruntime, it probably doesn't need
to be touching the internet.  If it is running in a webruntime, it
probably doesn't need to touch any of the filesystems.  The whole
point is that we now know more about what users really want from their
hardware, and are able to provide clean simple (safe) interfaces for
developers to deliver those experiences to the users.

There is a reason that we don't write kernel modules that let
developers pass in binary code for the kernel to execute in ring0.
It's not because kernel developers are power hungry and want to keep
all the fun away from those dirty userspace devs.  It's because
providing concise APIs allow developers to develop freely in a way
that is fair to the other applications on the running system.  It also
enables them to develop more complex systems at higher levels, since
they don't have to be preoccupied with whatever is going on at lower
levels.

I really think that html/js apps can do anything that native apps can
do for a user without needing to resort to breaking existing
restrictions.  Sure, they can't do it in the same way, but that's
because they are different systems, and there are new ways of doing
things now.  I also worry (I get paid to worry) because the html/js
ecosystem as it exists now is already fragile and unstable, and barely
holding off the barrage of new attacks emerging every day.  Everything
we add, while making it more convenient for developers, makes it
significantly more dangerous for users.  There is no "secure way" to
blow giant holes in the established security model.  Even if we double
check with the app developer, and double check with the user, it will
still almost certainly be introducing new unintended escalations.  If
we actually do need to adjust the model, then we can, but we should
really tread lightly in that territory, and make sure that these
changes are actually needed.

   - DEAN


More information about the Application-dev mailing list