1 (edited by skada 2007-11-21 11:09:29)

Topic: Source upload field

To encourage people to upload the source to their Flash files. It's kind of interesting that everything else is open source but the widgets and the control panel (the two most visible things...). I'd love to be able to enhance some existing widgets.

Also, what's to stop somebody from doing something malicious (i.e. sending your password to their server for widgets that require one)? Although, I guess there would also not be anything stopping anybody from submitting a different source for the "source upload".

2 (edited by rolan 2007-11-26 09:47:58)

Re: Source upload field

Or even MORE malicious.. Something akin to the "Black Sunday" DirecTV H-card attack, where the rogue software loops endlessly rewriting to the firmware until the flash RAM fails. That would be really nasty.

Re: Source upload field

Yes, this is one of our concerns - creating a public site where folks can simply upload an arbitrary file without verification can lead to Big Problems, for instance, folks posting warez, porn, etc.  If we allow this, we'd have to add a step to our QA process to assure that the source actually builds the corresponding widget.

One solution might be that third parties can't actually upload SWF files, but rather FLAs - however, that would mean that *we* would have to build them all, and that would constipate an already burdensome process, notwithstanding the various font and other tricky issues.  Also, many third parties consider their FLAs as proprietary, or the source many not even be available for some components.

The other problem is that the FLA and associated files for a movie are typically at least an order of magnitude larger than the resulting SWF file - we are not currently set up to accept single uploads in the tens of megabytes in size.

Re: Source upload field

rolan wrote:

Or even MORE malicious.. Something akin to the "Black Sunday" DirecTV H-card attack, where the rogue software loops endlessly rewriting to the firmware until the flash RAM fails. That would be really nasty.

Fortunately, the Flash security sandbox makes this extremely difficult to do, if not impossible.

5 (edited by skada 2007-11-26 10:24:58)

Re: Source upload field

Actually, why not just have a source code field that Chumby Industries then examines and compiles into the finished widget themselves. Any widget that has gone through this process could then be "Chumby Certified" or something like that.

EDIT: I started posting this as Duane was posting.

I understand your points, but all it takes is one exploit made public, and people will be demanding this. I think you should also somehow denote that a widget comes from Chumby Industries, too. Maybe posting a big warning on the "widget labs" would be good enough for now - if you want to be bleeding edge, go for it, but it's at your own risk. Widgets that make it to a real category would be "Chumby Certified".