Joined: 19 Feb 2010
MOUL uses a custom interpreter, so the situation is somewhat easier than trying to harden the stock Python interpreter.
What? Cyan wrote their own Python interpreter?? Surely this isn't true... it would take a huge effort to write a working Python implementation (I know because a friend of mine has done it).
No, they customised CPython. It's the same language, but with only a minimal set of built-in classes and functions. Also, individual scripts are executed in separate sub-interpreters. This makes it easier than trying to harden the stock Python distribution (i.e. it might actually be feasible, whereas hardening stock Python has been tried repeatedly, and has failed repeatedly).
The only way to guard against malicious Python scripts is to hand-inspect them before letting them go out to clients.
Which would largely defeat the point of open-source.
No it wouldn't... you would still be able to see the source code, modify it for your own purposes, if you have a useful patch send it upstream so it can be used by servers and clients. This would apply to the game code as well as custom ages. It would then be up to the server to choose whether to support your particular custom Age, just as it's up to them whether to support your particular custom code.
Then the server admins have to make a decision whether to accept your code, and the user has to make a decision as to whether or not to trust a particular server. Server administrators aren't necessarily programmers (and not all programmers can perform a security audit), and users aren't really in a position to make an informed decision about the safety of a server.
The client and server need to be able to safely handle whatever code gets thrown at them.
In Ubuntu, it isn't the case that just anybody can get code in the official repositories (becoming part of the operating system). There is a strict vetting process. That doesn't mean that Ubuntu "largely defeats the point of open source."
The situation is different for "mobile" code which is downloaded and executed without user intervention, and needs to handle untrusted data. If age scripts have to be manually vetted, that's going to maintain a "walled garden" environment, which will be a significant limitation.