[squeak-dev] The Inbox: Compiler-ct.473.mcz

Tobias Pape Das.Linux at gmx.de
Fri May 6 07:20:15 UTC 2022



> On 6. May 2022, at 07:38, Lauren Pullen <drurowin at gmail.com> wrote:
> 
> Hi Christoph,
> 
> On 5/5/22 19:08, Thiede, Christoph wrote:
>> While we are talking about special characters in source code already, would Compiler-ct.462 be a good merge candidate as well? It detects and warns about Trojan Source attacks<https://trojansource.codes/>. :-)
> +1 for forcing interactive override
> 
> Even if Squeak doesn't interpret Bidi control codes for display today,
> we should still catch their potential abuse for tomorrow.
> 
> I'd not heard of the abuse potential with the Bidi control codes... ...
> I was surprised to learn how flexible they were, especially with nesting
> Isolates to flip entire chunks of text.  I thought they'd written text
> under erasure.
> 
> -1 for noise potential
> 
> If it comes up too frequently, users will become complacent*.  This
> would put the users who work with Bidi text the most at the most risk.
> 
> I think it would be better to add it as a postcondition to tokenization:
> 'a single token will revert text direction if it changes it'.  It should
> be okay to compile things like
> 
> doThing: אוסף
> 	"Operate on the אוסף"
> 	אוסף do: [:ea | ea thingToDo]
> 
> without complaint since each token sets LTR for every RTL, but starting
> RTL outside a comment then putting the ending LTR in a comment is fishy.

That's a very good stance!

But if we are not careful, that get complex quickly.
Is אוסף2 ok? should the 2 go after the token? (note that these hebrew characters do not even contain RTL/LTR markers)

Best regards
	-Tobias
> 
> * A coworker one day said they installed a virus on their computer the
> night before because they ignored the SSL validation failure message
> because the websites they go to often fail it, and then proceeded to
> ignore the built in antivirus check because it always complains, and
> then ignored the Windows UAC message saying it wasn't produced by the
> intended vendor because companies frequently use names unknown to the
> normal consumer.  It's important to note this coworker was my direct
> supervisor, whose job involves paying attention to details to see how
> much of a merit raise to give me.  The irony was not lost on them.
> <trojanSourceLiterals.txt.png>




More information about the Squeak-dev mailing list