Allegro.cc - Online Community

Allegro.cc Forums » Allegro Development » Allegro Security

This thread is locked; no one can reply to it. rss feed Print
Allegro Security
Peter Hull
Member #1,136
March 2001
Posted on 01/31/2021 5:30 AM   View Profile

Has everyone seen this PR:
https://github.com/liballeg/allegro5/pull/1221
Looks like a perfectly reasonable and sensible statement to make, but I was wondering if there was any basis to the assertion that "The Allegro library is being used in academic environments and production environments for games (commercial and free) and other tools. A policy to assure some degree of security and quality must be put in place." (my emphasis)
Is this a general trend across the industry?

Arthur Kalliokoski
Second in Command
February 2005
avatar
Posted on 01/31/2021 8:01 AM   View Profile

The guy says he's been a security engineer for 17 years.

Someone who's a dentist will get exasperated if you don't floss religiously twice a day, a mechanic will have the vapors if you don't change your coolant every two years, etc. Not that those aren't excellent ideas, but it's not like the entire world will end if you don't do those things.

Everything looks like a nail when you have a hammer.

They all watch too much MSNBC... they get ideas.

Peter Hull
Member #1,136
March 2001
Posted on 01/31/2021 8:58 AM   View Profile

There is a linked issue which has appeared since, where he says he has identified some critical security-related problems. It'll be interesting to see what these are.
I am ashamed to say my first thought was that it was something like the Hacktoberfest fiasco. :-[

Matthew Leverton
Supreme Loser
January 1999
avatar
Posted on 01/31/2021 9:59 AM   View Profile

It's good to have a security policy, but it should be realistic not idealistic. That is, if there isn't anybody willing to fix and resolve issues promptly then the policy should directly state that it may be weeks before we can respond.

That is, while we are not under any moral obligation to provide emergency response to code we've given away for free, we also should be clear in the amount of support we can provide in such instances. Then people can make informed decisions on if they want to use Allegro or not.

That said, most security issues in Allegro are irrelevant if you are using it for its intended purposes of user-mode local games. But sure, if you are using it as root or in a shared environment where you are letting users control input, then there's probably a lot of ways for them to crash your system.

--
RTFM | Follow Me on Google+ | I know 10 people

Arthur Kalliokoski
Second in Command
February 2005
avatar
Posted on 01/31/2021 10:09 AM   View Profile

This sort of reminds me how windows disallowed direct screen access (along with many other things) to prevent denial of service attacks by just creating a blank screen that didn't allow input/output etc. but then they came out with DirectX to do exactly that. WinG was the prototype.

They all watch too much MSNBC... they get ideas.

RmBeer2
Member #16,660
April 2017
avatar
Posted on 02/06/2021 2:35 AM   View Profile

Now I want to know what are the security flaws in Allegro. I'm intrigued.

🌈🌈🌈 🌟 BlackRook WebSite (Only valid from my installer) 🌟 C/C++ 🌟 GNU/Linux 🌟 IceCream/Cornet 🌟 🌈🌈🌈

Rm Beer for Emperor 2021! Rm Beer for Ruinous Slave Drained 2022! Rm Beer for Traveler From The Future Warning Not To Enter In 2023! Rm Beer are building a travel machine for Go Back from 2023! Rm Beer in an apocalyptic world burning hordes of Zombies in 2024!

Go to: