This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # aws (2)
- # bangalore-clj (14)
- # beginners (20)
- # boot (20)
- # cider (7)
- # cljs-dev (38)
- # cljsrn (13)
- # clojure (487)
- # clojure-argentina (3)
- # clojure-dev (15)
- # clojure-gamedev (4)
- # clojure-italy (3)
- # clojure-poland (1)
- # clojure-russia (1)
- # clojure-spec (25)
- # clojure-uk (47)
- # clojurescript (127)
- # datomic (125)
- # defnpodcast (1)
- # hoplon (27)
- # jobs (4)
- # lein-figwheel (2)
- # leiningen (1)
- # luminus (5)
- # off-topic (3)
- # om (25)
- # onyx (9)
- # parinfer (3)
- # pedestal (20)
- # planck (65)
- # re-frame (43)
- # reagent (4)
- # remote-jobs (1)
- # ring-swagger (2)
- # rum (9)
- # spacemacs (1)
- # unrepl (37)
- # vim (1)
Another thing to note was the some use case seem to demand for eval or read override, like the one above for security purposes
And that there is still the problem of code dependencies to solve when injecting the blob..
For instance yesterday I tried to hookup
compliment in unravel and I had to do it server side because I would have to concat and send to many blobs + deps to the repl otherwise
Some more concerned about ide integration then streaming repls (there was a question on a better clj-refactor as well)
I assume “security” is related to having a REPL into a production system? or during development also?
No security was for prod, one idea was to blacklist or whitelist forms, another was to have a read-only repl where you can only read but not modify vars
Both cases seem difficult too do right. Whitelist too little and you get a poor copy of JMX. Too much and you have exploits. Read-only is difficult to harden too.
The real thing that is needed for PCI compliance is: * Logging inputs (viable with changing the socket repl server) * authentication via arbitrary process: approval via other people for PCI specifically The other stuff was really an expansion. I think it doesn't need to be perfect, it's just to reduce accidental leaks I think.
We really want nice tooling, live dynamic environment & such despite the compliance regime we're under. So that's where this line of thought is coming from. Even better is the "bring your own tooling" situation.
@cgrand PCI is a large compliance regime which is hard to fully explain in this thread, but it mostly boils down to knowing who your users are, ensuring that a single bad-actor can't steal information or inject vulnerabilities/backdoors into your systems.
It is easier to satisfy some of security requirements if users don't have the ability to mutate the system (other than by the allowed routes through a change management process)
Emergency diagnostic access to systems via a REPL environment is a major advantage to Clojure systems, in my view. The knee-jerk reaction of most security regimes is to ban REPLs but I think this is a poor compromise - therefore I'm particularly interested in various strategies to secure REPLs - logging, authentication, monitoring, encryption, etc.
And when I say confusing, I mean from a UX perspective, not in simple/complex terminology.
A 3rd connection (ideally) where control is inverted: the repl asks for resources to the client.
Yes I remember that, one very nice property of the current implementation is that there are no dependency. For dependencies, a repl could ask for a data structure defining coordinates, but then it would need to resolve them. Or it can ask for already resolved jar paths (and actually Cognitect is coming up with a little command line too for doing dep resolution and classpath dump)
@cgrand I do yep, I had the sudden "Oh, derp, that makes total sense" last night whilst thinking about it 🙂
@richiardiandrea my solution would do dep resolution on the client and would not assume a shared file system.
One thing that @dominicm came up with would be to enable unrepl to start connections to other "helper" servers (or repls?). One process, Chrome for instance, then could be dedicated to render data structures nicely, accepting unrepl messages and partially understanding the protocol in order to do stuff
It is funny because as soon as I say that Paul Grander started talking about
If unrepl supported the concept of peers so that you can offload tasks on the socket we would not need to pass too many things in the blob
But you open a connection to your peer and it does the job (render a map, refactor a file maybe)
Extensions to unrepl could provide different "render-X" forms which would be evaluated with the form to send data via ws to chrome, or via the connection to emacs as svg, etc