[Denemo-devel] Denemo music-vault / scheme security risks

[Nils Gey]

I'm currently working on a way to build a .denemo vault on denemo.org where 
users can share their music.

Of course this will only be succesfull if users can upload and maintain their 
files themselves and the files have not to be reviewed by the denemo-team first.

There are two issues: 
1)Copyright.
 This is a typical one. Like many services and places of the web where things 
can be shared there is a possibility that copyrighted material will be made 
avaible. 

There is no working solution for this except: remove when discovered. I suggest 
we will excatly do that on denemo.org: Allow any .denemo notation to be 
uploaded and when we discover illegal material or if anyone complains we just 
delete it and probably ban the user-account. (Of course banning has no real 
effect because its free and unrestricted to make a new account)

I expect not many cases to happen... notation is not mp3.

2)Security
Richard told me that the scheme-code inside denemo-files can harm your system.

But we have to think about ways to warn and to protect the users. 
There are two steps: Website and inside denemo.

Now what can denemo files do and what ways are there to restrict denemos scheme 
access on the users system?

If it is enough to restrict inside denemo then we don't have to install 
anything on our website to check the files.

Of course warning and simple checks are easier. First only .denemo files which 
are mime-type application/x-gzip can be uploaded to our site (this already 
works). And we can add a disclaimer "Be careful with downloaded .denemo-files" 
but people tend to just ignore such warnings and just load the files anyway.

Nils