<div dir="ltr">I just wanted to clarify, to avoid any confusion, this patch is mostly about support for unicode atoms forms in the compiler. This is a required step if you ever want to support Unicode in the language but it does not imply such. There are three main milestones:<div><br></div><div>1. Support unicode atom forms (i.e. the form {atom, Line, Atom} can have a UTF-8 encoded atom)</div><div>2. Support unicode atoms between single quotes (for example, <span style="font-size:12.8px">'ノクス', as you can already write "</span><span style="font-size:12.8px">ノクス"</span><span style="font-size:12.8px">)</span></div><div>3. Support unicode in the language (for example, being able to write variables in Japanese)<br><div><br></div><div>This discussion was originally related to 1 but I could contribute 2 if desired. Many of the concerns raised above are related to step 3 which, afaik, is not planned.</div></div><div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><div><div><br></div><div><br></div><div><span style="font-size:13px"><div><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse"><b>José Valim</b></span></div><div><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse"><div><span style="font-family:verdana,sans-serif;font-size:x-small"><a href="http://www.plataformatec.com.br/" style="color:rgb(42,93,176)" target="_blank">www.plataformatec.com.br</a></span></div><div><span style="font-family:verdana,sans-serif;font-size:x-small">Skype: jv.ptec</span></div><div><span style="font-family:verdana,sans-serif;font-size:x-small">Founder and Director of R&D</span></div></span></div></span></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Feb 3, 2016 at 6:00 PM, Felix Gallo <span dir="ltr"><<a href="mailto:felixgallo@gmail.com" target="_blank">felixgallo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Oh for sure there's all sorts of hilarity in C. Doubtless in erlang, too. But the existence of other attack vectors doesn't suggest that you should ignore a new one. <div><br></div><div>It'd probably be a good idea, if this were to be implemented, if there were some tooling or flags for the compiler to warn when unicode was used in a potentially dangerous setting, so that people taking pull requests on erlang code (or even just typing code wrong) could avoid some classes of possible exploits.</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 3, 2016 at 8:47 AM, Fred Hebert <span dir="ltr"><<a href="mailto:mononcqc@ferd.ca" target="_blank">mononcqc@ferd.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 02/03, Felix Gallo wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There's also an interesting security issue around Unicode source code.<br>
<br>
Take for example the recent hack of Cryptsy, which involved a guy taking<br>
what looked like an innocent and safe pull request to fix an issue in one<br>
part of his software, but through the magic of the preprocessor, turned out<br>
to do something else entirely:<br>
<br>
<a href="http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security" rel="noreferrer" target="_blank">http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security</a><br>
</blockquote>
<br></span>
My counter-argument to that is that you don't need any of that cool UTF stuff to do that.<br>
<br>
See:<br>
<br>
- <a href="http://www.underhanded-c.org/" rel="noreferrer" target="_blank">http://www.underhanded-c.org/</a> underhanded C contest is all about writing regular looking C code doing nasty stuff<br>
- <a href="http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/" rel="noreferrer" target="_blank">http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/</a> juniper code was broken by someone adding in a password check that looked like a log line<br>
- <a href="http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/" rel="noreferrer" target="_blank">http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/</a><br>
using a non-prime in crypto communication, possibly being a backdoor.<br>
<br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div>