Hi Peter,

On Wed, May 4, 2011 at 6:56 PM, Pete Meyer <pameyer@mcw.edu> wrote:

 - Sandboxing would be ideal, but I don't know if there's infrastructure in python to support it.  It might be easier to filter fetched scripts to only allow a restricted subset of python functions (the ast library looks like it might make this a bit easier).  If a script can't access the network or hard disk, then it doesn't need to be trusted as much.

There are a couple of issues with this

 - The last time I checked (which, admittedly, was a couple of years ago), many people had tried and failed to set up such an environment within Python. It turned out that there were very clever ways to get around any sort of reasonable restrictions that people tried to impose (i.e. a guaranteed-to-be-safe script couldn't actually do anything useful). I know there has been a lot of desire for this, so maybe the problem has been solved.

 - There are some plugins that need access to the hard disk. I'm not sure about scripts. If there exists a reasonable sandboxing (or AST-based) solution, we'll have to run those scripts in "untrusted" mode, which is probably fine.
 

 - The wiki doesn't appear to support SSL.  So that means trusting the network to get to the wiki correctly, in addition to the wiki itself.  I don't have any good ideas for how to work around this one.

My guess is that there's just never been a real need for SSL. Jason would be the real authority here, but I'd guess that SSL would be possible if it there's a strong push for it.

-Michael
 

Pete


Michael Lerner wrote:
Hi all,

I'm considering building in a mechanism for automatically fetching scripts from the PyMOL Wiki. The goal is to allow users to say

fetch findSurfaceResidues, type=script
findSurfaceResidues doShow=True, cutoff=0.5

The convenience benefits are obvious, especially for new users, and I think that lowering the barrier to script usage will greatly increase both the number of people who use various scripts and the incentive to place scripts on the wiki (especially if the fetch mechanism makes it easy for script authors to provide a citation/DOI/etc.).

I've put up a tentative page about this on the wiki (http://pymolwiki.org/index.php/Fetching_scripts), and I'd love comments either via the list, private email or on the wiki, especially about

 - whether you think it's a good idea
 - security and validation
 - options you'd like
 - implementation issues

The plan is to write this as a userland script first. If issues relating to security and validation can be resolved, we'll see if the official builds want to include it.

Cheers,

-Michael

--
Michael Lerner, Ph.D.
IRTA Postdoctoral Fellow
Laboratory of Computational Biology NIH/NHLBI
5635 Fishers Lane, Room T909, MSC 9314
Rockville, MD 20852 (UPS/FedEx/Reality)
Bethesda MD 20892-9314 (USPS)





--
Michael Lerner, Ph.D.
IRTA Postdoctoral Fellow
Laboratory of Computational Biology NIH/NHLBI
5635 Fishers Lane, Room T909, MSC 9314
Rockville, MD 20852 (UPS/FedEx/Reality)
Bethesda MD 20892-9314 (USPS)