"RokuKevin" wrote:
We do not currently have any plans to restrict access to the pkg:/ contents within Run(). You should only try to Run() code that you trust (maybe via ssl mutual auth with roku-x-reserved-header).
Is there some special usage case I'm missing?
Vetted third party code. While reviewed, flagged and scrubbed, it's possible to miss possible access of original pkg:/ files (human error), and I'm trying to provide a high level of assurance. If the code in question is dynamically downloaded and run over a secure system, it itself becomes the weak. There's no way to definitively secure your access methods if he source defining those methods can be accessed and posted to a remote location.
I'll admit it's a fairly limited use case, and I've got a full system defined (policy, manual review, hard limits in current language capabilities) to prevent that access, but a definitive way not based on a current language
limitation would be better than relying on
just that limitation and code review (which would be used regardless of the Roku's ability to chroot code).
I believe my current methods DO provide a high level of assurance (you can get quite far through flagging certain language features as off limits or requiring quite a bit more thorough review), but the more blocks in place the better.
