Re: security audit

Nathan Bubna wrote:
> Will said:
> ...
>
> > So far, the Velocity committers seem to have ignored this issue.
>
> I've
>
> > patched my personal copy of Velocity, but I'm guessing most
>
> developers
>
> > aren't even aware of the problem.
>
>
> hey now, let's be fair.  i've been watching the dev-list for several
> years myself.  this issue has come up only once or twice that i can
> remember.
>
> each time, we are reminded that there *is* at least one
> legitimate--though admittedly difficult--solution already (java's
> SecurityManager).  now we may not all agree that that is sufficient
> (personally, i'm inclined to agree that a template language should be
> shipped secure), but to get from there to accusing the developers of
> apathy and/or ignorance is not entirely fair.

<LOL>

I notice that you hedge in the above. You say that accusations of apathy 
and/or ignorance are not *entirely* fair. You surely are hedging because 
you are quite aware that not all is quite right in the State of Denmark.

Well, finally, I cannot resist the temptation to make a few comments 
about this state of affairs. I think these are constructive comments, 
because what I perceive here is a complete misconception regarding the 
nature of the open-source model. Many will know that I am lead developer 
of perhaps the best-known open-source alternative to Velocity. I do know 
something about running an open-source project, and thus, I am not 
(pardon my use the vernacular...) talking out of my ass.

In clearing up some misconceptions about the open-source model, I feel I 
could be doing some people a service. I get the feeling that many of the 
users on a list like this have only recently entered the open-source 
world and they may come to believe (falsely) that the state of affairs 
in this particular community is something normal.

It is not.

> please remember that this is volunteer driven open source.  this means
> that it is "itch-driven."  in other words, the developers scratch
> their itches first, and then, *if they want,* they scratch other
> people's itches.  and, as one might expect, if you have an itch you
> want scratched, you are a lot more likely to get someone to do it if
> you have already told them where it is (bug post) and how to scratch
> it (patch).  if they still don't or won't scratch it for you, you are
> always free to scratch them yourself.  (and maybe help scratch other
> itches until they make you one of them)

The above comments do not quite make sense, you know.

They might make sense if Velocity were the personal project of one or a 
few individuals. Then the owners of the project would have every right 
to be as capricious and arbitrary in their behavior as they wished. They 
could fail to address bugs, review patches. They could simply neglect 
the project and not let other people pick up the slack. It would simply 
be *their* project.

However, that is not the case. Velocity is not a personal project of 
Geir M., Jon S., or Jason Van Z or all of the above. It is part of the 
Apache Software Foundation, an entity that was founded with a certain 
charter and mission has received extensive support from corporations 
like Sun and IBM. And it received that support on the basis of that 
charter and mission.

A key aspect of that mission is an open-source model of development 
which is run as a meritocracy. It is developer-driven. The people who do 
the work run the show.

You currently have a situation in which none of the people who are 
supposedly the core Velocity developers have committed any code to speak 
of for at least a year. (I only suspected the above statement, but I 
quickly verified it as true by looking in the velocity-dev archives, 
which receives all the CVS commit messages.) There is an exception, one 
Daniel Rall, who last committed some code in October of last year. 
That's "only" 7 months ago.

Now, in the above, Nathan, one infers a situation in which the "Velocity 
developers" are like the gods on Olympus, and everybody else who wants a 
new feature or a bug-fix is a mere mortal -- in a supplicant position 
vis-a-vis the Olympian deities. Or perhaps it is more reminiscent of the 
poignant scene from "Oliver Twist" in which the lad says: "Please sir, 
can I have some more?"

But, you see, open-source developers are *not* poor Oliver Twist asking 
for more. The open-source model is meant to *empower* developers, not 
put them in a supplicant position. This already suggests that something 
is seriously amiss here.

In any case, if some people are going to be the Olympian deities, as it 
were, they would have to maintain that position by ongoing 
contributions. Or they should pass the flame to others.

> so, as i have said several times now, i don't think most people have
> to worry about this issue.  it has always been my perception that the
> significant majority of velocity users are developing applications
> where either they are the template designers or they can fully trust
> the designers.  certainly this seems to be the case with Velocity's
> committers.

That could be true. Or it could be the case that, like many developers, 
they are a bit footloose about security issues -- until they get bitten. 
Like our friends in Redmond...

> so far, people have talked about this security "itch" only
> sporadically, and the developers clearly aren't suffering from it.  no
> one has ever even posted notice of it in Bugzilla!  you, Will, are the
> first to even mention having a patch AFAIK.  before you go ragging on
> the developer's i suggest you post a bug, attach your patch, and
> nicely remind the dev-list about it from time to time until the matter
> is resolved.  yes, i know the dev-list has been very quiet (apart from
> velocity-tools stuff, of course), but there is little else to be done
> at this point.

Frankly, the only reason that nothing else can be done is due to the 
dysfunctional state of affairs that has developed.

If your current committers, for whatever reasons, no longer wish to do 
the work involved in maintaining the project, they should pass the flame 
to people who want to do it.

> again, there are solutions already, even if not all will work for you:
>
> 1.  don't accept untrusted templates.  (for those taking user-uploaded
> templates, perhaps you could scan them for getClass(),
> getClassLoader() etc. using regexp or the TemplateTool in velocity's
> contrib area)
>
> 2.  use java's SecurityManager to set up your restrictions
>
> 3.  modify the source yourself

This is always an option. The problem is that if you fork your own 
version of the codebase, you lose a lot of the advantages that a 
open-source project with a large user community provides you. When your 
code is part of the main codebase, it means that very many fellow 
developers are using that code. Some will even eyeball it. Given that, 
it is much much harder for bugs to survive undetected than in code that 
only you use and look at. More eyeballs.

Anyway, you can take these above comments of mine at their face value. 
They are certainly offered in perfectly good faith. FreeMarker and 
Velocity are ostensibly competitors in this space. However, I don't mind 
competing legitimately on technical merit. It's energizing. So, I would 
be quite happy if you guys got your act together.

Best Regards,

Jonathan Revusky
--
lead developer, FreeMarker project, http://freemarker.org/
FreeMarker 2.3pre1 is out!
FreeMarker-Velocity comparison page: http://freemarker.org/fmVsVel.html



> Nathan Bubna
> nathan@xxxxxxxx