From: Yukihiro Matsumoto Date: 2012-04-03T02:54:26+09:00 Subject: [ruby-core:44077] Re: [ruby-trunk - Feature #5455] $SAFE should be removed Hi, In message "Re: [ruby-core:44075] [ruby-trunk - Feature #5455] $SAFE should be removed" on Tue, 3 Apr 2012 02:07:15 +0900, "headius (Charles Nutter)" writes: |A deprecation warning would be good in any case. | |Is it the position of ruby-core/MRI/Matz that $SAFE should be used for security purposes? There are a number of Rubyists (not to mention content in some Ruby books) that claim this. I have never claimed $SAFE is safe enough for strong security in any way. It's for advisory, as other languages do. |However, the equivalent feature from other languages (Perl, primarily) is *not* intended to be used to provide a secure environment. The warnings from safe mode in those languages are intended to be advisory, used before deployment, and it is discouraged to use safe mode in production. Enforcing $SAFE as a security mechanism also requires all code everywhere to properly handle tainting and untrust...including C extensions. $SAFE/taint/untrust is just a bad way to do security. | |I suggest that $SAFE should *at least* be deprecated in 2.0. I'm guessing that the window has closed on coming up with a "better" security replacement, but people should know that $SAFE does not provide the security guarantees they think it does. I consider this advisory useful. Why do you want to remove? matz.