[erlang-questions] Right direction ?

Edmond Begumisa ebegumisa@REDACTED
Tue Sep 27 18:31:02 CEST 2011

Hi there,

Late on this and the preceding thread, but I've been *very* interested in  
something like this for a while now and raised it once...


I personally would really like (c) below. Mainly because it would render  
packaging tools "less" useful and make deployment really easy.

I think one can draw inspiration from others like Mozilla XULRunner for  
both locating code and how they make use of web-style deployment...

* Support for hardcoded locations based on URIs...

* Support for centralising locations...
     where the actual location is picked up from "erlang.manifest" that  
maps "my_app" to some ebin dir similar to "chrome.manifest" in Mozilla.

* Support for custom file streams...
     where loader would expect "riak.manifest" to tell it how to fetch the  
file (possibly an {M,F,A} entry)

* Enforce security restrictions for unsigned code

On that last point: I wonder for example how possible it would be to  
restrict code loaded from remote locations to the "same-source" rule. Also  
(probably more tricky), how difficult it would be enforce a rule that code  
coming from remote unsigned sources cannot have access to the local  
filesystem or erlang ports.

Mozilla makes two broad categories for code loaded from URIs -- chrome://  
(call it erlang:// for our case) that has access to everything, and  
everything else (http://, file://, etc) that mustn't access the (full)  
local file system or external processes. This would be nice to have,  
because code signing can get tedious.

- Edmond -

On Tue, 27 Sep 2011 19:47:22 +1000, Joe Armstrong <erlang@REDACTED> wrote:

> On Wed, Sep 21, 2011 at 7:40 PM, David Goehrig <dave@REDACTED>  
> wrote:
>> Last night I began hacking on code.erl, code_server.erl, and looking to  
>> extend load_file(Module :: atom()) to include a load_file(Module, Url)  
>> function that would look for the module at the associated URL rather  
>> than searching for the file via abs path. It would then compare the  
>> sha256 hash of the file against the copy in cache and bail if they are  
>> different (no hash in cache adds it and uses as the baseline).
>> I was wondering if there was a good way to verify that a .beam has not  
>> been modified since last load.
>> For example:
>> -module(my_mod)
>> -require(daves_mod,"http://erlang.dloh.org/")
>> Could then look for http://erlang.dloh.org/daves_mod.erl and download  
>> and compile a local beam. Once I have that beam, I can just load from  
>> cache, but what happens if the beam is modified after compilation?
> I don't really understand. The only (legal) way to modify the beam
> is to change the source and recompile. I think you have to
> decide exactly what the semantics of require are. There are several
> possible meanings:
>    a) We check the require targets *before* compilation with
>         a separate program
>        ie image a program:
>         > check_dependencies *.erl
>        This parses all erlang files (*.erl) extract the require  
> information
>         then it check the cache to see if it has all the necessary files
>         Even this program could have two modes:
>             a1) always check with the origonal source for new versions
>             a2) check once every N days (or minutes or hours or  
> something)
>      b) we check at compile time
>      c) we check at usage time. The first time we call daves_module and  
> find
>          it has not been loaded we check the cache and so on
>    a) represents an early binding scenario, c) very-late binding
> If you are in a development scenario I'd favor a) because have code
> changing rapidly under my feet would worry me. (actually a) is the
> easiest to implement
> If I am in a deployment scenario I might choose c) I might even want to
> *push* changes rather than reply on polling or some other way of
> finding out that the code has changed.
> The point is that you have to have a clear idea of which of these
> particular problems you are solving.
> Doing a really good job on the a) scenario interest me - I'd just like
> to type "make" and be told - "foo123.erl on http:/..../ has changed from  
> the
> cached version, do you want to update?" ....
> Only a) fits nicely with unit testing/type checking etc. delayering
> to load time makes testing difficult. If things can change under your  
> feet
> without you knowing, life might become difficult.
>> The other thing I would like to add is DNS TXT records that could be  
>> published sha256 hashes of each source module.
>> http://erlang.dloh.org/daves_mod.erl 45663AFDA....
>> Adding a
>> -signature("http://erlang.dlog.org/daves_mod.erl","45663AFDA....")
>> Would allow a 3 part verification of the source:
>> 1.) I can compute the source has the right hash
>> 2.) I can look up that the module has the same published signature
>> 3.) I can verify against the original at the specified URL
>> In this scenario it is not enough to modify the source and rehash, nor  
>> enough to replace the upsteam file, but also replace the DNS entry  
>> without anyone noticing.
>> Thoughts?
> Good stuff - needs some thought though. I was thinking of  
> signing/validating
> the source with an RSA public/private keypair.
> I'd like to see this as part of the build process, if I did "make" I
> might like to see:
> $ make
> module foo123.erl is up to date. Written by joearms *validated*
> module bar23.erl has a newer version
> module bingo23.erl is up to date written by cleverperson *untrusted*
> ...
> etc.
> /Joe
>> Dave
>> -=-=- dave@REDACTED -=-=-
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

More information about the erlang-questions mailing list