incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <aha...@adobe.com>
Subject Re: [VOTE] Release Apache Flex 4.8.0 - RC3 - build number 1359417 (and Flex has been trademark signed off by Adobe for donation to Apache)
Date Fri, 13 Jul 2012 20:59:20 GMT



On 7/13/12 1:25 PM, "Bertrand Delacretaz" <bdelacretaz@apache.org> wrote:

> On Fri, Jul 13, 2012 at 9:40 PM, Alex Harui <aharui@adobe.com> wrote:
>> On 7/13/12 12:07 PM, "Dave Fisher" <dave2wave@comcast.net> wrote:
>> ....It is optional, only those wishing to create components for Flex via
>> Flash
>> Pro need to use it.
>> 
>>> Is there a reasonable way to for a user to validate this FLA?
>> Maybe I don't understand what it means to validate.  If you open the FLA in
>> Flash Pro you can see what is in it....
> 
> What I meant is: how can a user be assured that that FLA, as binary
> file, won't harm their system or contain a trojan or something like
> that. Any developer who knows the language can check such things on
> source code, whereas it's much harder for binaries - so how about that
> particular file?
> 
> (again, I'm clueless about the FLA format - if someone can tell me
> that such files cannot possibly contain bad stuff I'm fine with that).
> 
> -Bertrand
I don't think a FLA can harm your system.  If you open it in Flash Pro, it
will just sit there.  I don't know of any way to have it execute a startup
script (which I don't think is necessarily true for an MS Word file).

I assume we aren't worried about an attack on folks who double-click to open
a file?

Now if you generate the SWF from the FLA file and run it, it could do some
damage, but I assume we expect someone to introspect the project before just
running it?

-- 
Alex Harui
Flex SDK Team
Adobe Systems, Inc.
http://blogs.adobe.com/aharui


Mime
View raw message