[etoys-dev] Re: Etoys new fonts

Bert Freudenberg bert at freudenbergs.de
Fri Jun 11 16:12:04 EDT 2010 

On 11.06.2010, at 20:48, Yoshiki Ohshima wrote:

> At Fri, 11 Jun 2010 14:57:32 -0300,
> Ricardo Moran wrote:
>> 
>> Please correct me if I'm wrong. What I mean is: currently Etoys uses the default directory to store project files and so
>> it changes the default directory to point to a different place than the imagePath.

Not quite. It changes the default directory to the only guaranteed writeable directory. Everything else becomes inaccessible once the security sandbox is enabled (which happens when you run someone else's project). The only exception is the resource directory, which is still accessible, but read-only. In the Etoys case, we chose that resource directory to be the image directory. I was simply suggesting that for better clarity we use "resource directory" in the code, rather than "image directory".

>> But the default directory is used for
>> a lot of other stuff (saving the image with "save as...", looking for fonts, monticello's package cache, writing logs,
>> and so on).

Right, except for loading fonts. Those need to be looked up in the resource directory for the fonts we ship, and possibly also in the default directory for user-installed fonts (but I'd hope that in normal operation we do not need that font download anymore).

>> Maybe we could keep the default directory pointing to the image path (as the squeak trunk image) and simply
>> change the directory where we store the project files. This directory would be "etoysPath" (or any other name you
>> consider better). 
>> So, what I propose is, instead of making a "resourcePath" for locales, quickguides, fonts, etc. we create an "etoysPath"
>> only for storing projects and we change the default directory back
>> to the image path.

Not a good idea.

A lot of code assumes (rightly) that the default directory is writable. When the security sandbox is enabled, we only have a single writable directory. We definitely need to write projects. Hence, the project directory must be the default directory.

>  One thing is that Etoys needs more strict readonly vs. read-write
> permission distinction of files and directories than a typical trunk
> installation, as somebody can make a malicious project and upload it
> to a server and mess up the writable directory.  So, in general the
> fonts should be in the read-only directory.  (It has never been a
> problem so far, and seraching two places like Subbu suggested would
> have the advantage of allowing downloadable fonts, but less secure.)
> 
>  I am pretty sure that you are not proposing to add a new directory
> that SecurityPlugin knows.  (A new directory accessing method that
> returns already-known directory name.)  But I am not still sure if
> what you proposes simplifies the problem...
> 
>  (I am not really closely following the discussion so forgive me if
> I'm missing something.)


Yoshiki is right. You need to take the security sandboxing into account.

- Bert -

More information about the etoys-dev mailing list