[TxMt] Re: GitHub bundles and security?

Hans-Jörg Bibiko bibiko at eva.mpg.de
Tue Dec 23 13:33:37 UTC 2008


On 23.12.2008, at 13:53, Geoffrey Hutchison wrote:
> I'm just worried about the security implications. Does TextMate
> sandbox bundles? I mean, technically speaking, GetBundles lets you
> download unknown bundles which can execute arbitrary code on my  
> machine.

This is a good point. As far as I know TextMate doesn't sandbox any  
downloaded bundle. I guess it would be very complicated to do so.

The only way to verify bundles I see is that the entire TextMate  
community is aware of it, meaning if there's a security issue of a  
given bundle each user who encountered it will post a message to that  
list or leave a message in the IRC channel immediately.

Then the user should logged in as 'normal' user (i.e. no admin rights)  
to minimize the danger of executing hazardous code.

I do not know if TM2 will be able to handle this security issue but  
this is an overall problem of downloading any app from net.

I'm using TextMate for years I did not encounter any security problem  
(only one evil (tongue-in-cheek) "joke" in that mailing list).

--Hans



More information about the textmate mailing list