Re (1), when you say "don't allow programs that can execute arbitrary, unsigned/... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		theamk on Dec 18, 2019 \| parent \| context \| favorite \| on: Binary Authorization for Borg Re (1), when you say "don't allow programs that can execute arbitrary, unsigned/unverified code" -- does this mean we are blocking all scripting languages? For (2) and (3), I agree that capabilities and containers are very important, but they are not really related to code-signing -- either python is signed or not. So I don't see how code signing + python can co-exist? Once you allowed your python (ruby, perl) binary, the "binary whitelist" is pretty useless. Seem like other technologies -- like containers, sandboxes, SELinux-like labeling etc -- is the only way to go.

my123 on Dec 18, 2019 [–]

PowerShell is set to a restricted language mode for example after enabling enforced UMCI, and even .VBS files can be signed.

(the signature appears as a comment block in the file in that case, and is then checked by the system for Windows built-in scripting languages)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact