[Adium-devl] Out of process plugins (was: Distant objects)

Colin Barrett timber at lava.net
Wed May 9 07:58:11 UTC 2007 

On May 8, 2007, at 5:24 AM, Evan Schoenberg wrote:

> On May 8, 2007, at 2:34 AM, Colin Barrett wrote:
>
>> I'm not sure why that'd be a security issue. We shouldn't store
>> passwords in memory, ever. That's what keychain is for. Plenty of
>> other apps provide an API other processes can interact with. It may  
>> be
>> that we don't want to expose certain functionality via DO for Adium,
>> but I can't really think of a whole lot.
>>
>> If there is hostile code running on the system, the user is pretty
>> much hosed anyway. In most cases they were probably socially
>> engineered into installing it, and even if we require the user to
>> authenticate or allow things to connect to Adium, that same social
>> engineering trick works ("but I *want* to use Gator, why would I deny
>> them access to something it says it needs?").
> I agree wholeheartedly with this sentiment.  I've been trying to  
> figure out the right way to say exactly that.
>
>> I say do it, and force all plugins out of process. It'll be a win for
>> us in terms of forcing people not to use private APIs and keeping
>> plugins from crashing Adium. Although I can be convinced otherwise ;)
> Disagree there.  DO is inherently more expensive than in-process.  A  
> rich public API should hopefully keep people from doing dumb things  
> like NSClassFromString() to hack into private classes... and if they  
> do, well, our handling of plugins should be versioned such that this  
> isn't a major problem anyways: if I write a plugin depending on  
> 1.0.2's internals, and say it's compatible with the 1.0.2 API only,  
> then with 1.0.3 the user should be warned of the potential  
> incompatibility and reminded how to manually remove the plugin if  
> necessary.

I've been trying to figure out exactly what that niggling objection  
was, and that's it. Thanks :)

I think in this case we want to be unobtrusive since we're messing  
around internally, but perhaps we want to be aggressive and tackle  
iChat head on. Joe, would checking in that patch to vend an instance  
of Adium over DO allow you (or us) to write a less intrusive hack? If  
not, what else would be needed?

-Colin

More information about the devel mailing list