couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: Elixir Sandbox
Date Wed, 16 Oct 2013 21:13:19 GMT

On Oct 16, 2013, at 23:03 , Alexander Shorin <> wrote:

> On Thu, Oct 17, 2013 at 12:54 AM, Filippo Fadda
> <> wrote:
>> Sandboxing is something optional I think, you need only when you are developing a
CouchApp, when you do all in JavaScript, using the _users database and running the app inside
CouchDB. But if you are just using CouchDB like a database, developing a web app using PHP
or Python, for example, you'll never give access to CouchDB from outside, through Futon for
example, so no one will be able to store a new design doc in your database to run malicious
code. I'm using PHP with the ElephantOnCouch Query Server, writing ddoc in PHP, and I really
don't see why I should using runkit to sandboxing the Query Server.
> Because you are running your code and you trust yourself (I hope so).
> Another user may not trust you or your code, so he have to inspect
> every bit of your code to make sure that it wouldn't make a big
> security hole in his server. Having sandboxing feature guarantees him
> that he may run third party code with no worries about.

Heh right, I think Filipo is aware of the dichotomy. I think all we want to say is that Elexir
support for CouchDB is very welcome with and without a sandbox (or both :)


View raw message