[GoLUG] Mailing list, long term.

Barry Fishman barry at ecubist.org
Mon Aug 18 13:19:01 EDT 2025 

On 2025-08-17 23:21:28 -04, Steve Litt wrote:
> On Sun, 17 Aug 2025 17:12:00 -0700
> Ron <ron at bclug.ca> wrote:
>
>> Steve Litt wrote on 2025-08-17 10:55:
>> You're strenuously against inserting Javascript in your web pages but
>> also want people to run Python code downloaded from the internet with
>> full access to their ~ folder and its contents?
>
> What I'm against is complexificating what could easily be a nice static
> web page with Javascript and a database. If I were building a true web
> application, of course I'd use Javascript for the stuff that isn't
> static.
>
> Python's the language people are most likely to be able to read. Would
> you like the client in Go?
>
>> 
>> I don't get that.
>> 
>> At least JS is heavily sandboxed and can't access my file system.
>  
> A lot of software we run on our desktops and laptops either is or has
> some Python. 

My impression is that the JS repository has distributed a lot of
dangerous code, and is very badly supervised.  It's code is pulled in by
the web browser at runtime so is very difficult to know what code is
being used.  Although the browser may be heavily sandboxed, it still
seem to trigger a lot of internet CVEs.  It seems to be a major vector
for security issues.  Even though its distributed as source code, and
you do get to look at the downloaded code its variables can be
shortened for faster download and very difficult to read.

Python doesn't dynamically load its code from the internet, and most of
the crucial libraries seem to be packaged with the compiler.  What you
do need to download, you select yourself and get to look at the
un-obscured source code.  And from what I have seen the Code and APIs
are very well written.

Since this thread seems to be the usual response to the "I want to write
some code to fix this problem I have found", which is "lets all discourage
them from doing anything", I will add:

It might be nice that when you worked out and tested the initial design,
of the system, and you are ready for it to be used, you make
documentation for the internet RPCs it uses available.  This would allow
others to write their own clients (or even servers) in whatever language
they like.  (For example a Emacs client to go with the ones for IRC,
Mastodon, Matrix, etc.)

But this would be when you are ready for resilience testing with
buggy/malicious clients.  Unfortunately, once a server appears anywhere
on the internet people will find it and try to hack it.

-- 
Barry Fishman

More information about the GoLUG mailing list