-
Notifications
You must be signed in to change notification settings - Fork 10
a2 security concerns
As cool and free and open source as a2 and Autohotkey is: It "can" theoretically do some harmful stuff! Like capturing keystrokes, stealing private data, deleting/locking files ... Please be careful! We do not guarantee the integrity of your data and hardware when using any part of a2!
- download and install only from trusted sources!
- at best: read and review the package contents and script code before activating.
- be wary when packages contain executables.
Note: when downloaded through a2 Add Source a new packages modules are never activated right away. So you can take your time making sure this is legit.
After all this project is first and foremost about convenience, fun, automation and learning. It is aimed at experienced users and is in active development so there are very likely bugs and design mistakes. Security can probably be improved: For constructive suggestions we will be super grateful and implement them asap.
Now that we got some 3rd party testing rolling: There is actually a security section! See:
Yea, there are some things popping up! But the nature of this project is rooted in all of these:
- use of
subprocess
- With an app dealing with different processes, starting/removing some its inevitable to use subprocess. This always happens with the same (by default low) privileges. - use of
request.urlopen
- Well, you can update things over the internet. It would be pretty shitty if you couldn't. You are warned though.
another good read: hackernoon.com/10-common-security-gotchas-in-python...