Post-KickStarter LiveCode - security issue fix?

[Lyn Teyla]

Hi all,

It has been 3 years since my post to this list urging RunRev to fix the serious security issue where the scripts of password protected stacks and standalone apps can be fully viewed via memory dumps.

This is because password protected scripts remain unencrypted in memory after compilation. That's right, no password is needed, the code is right there in memory.

The issue was also lodged via the LiveCode Quality Control Center (LQCC) as report #8672:

http://quality.runrev.com/show_bug.cgi?id=8672

In September 2010, Mark Waddingham finally responded to the LQCC report, saying that the issue would be eliminated in 5.0 with the move to Unicode.

He then marked the LQCC report as private.

Alas, even after the move to Unicode, the issue remains unresolved.

In September 2011, I requested for a RunRev response via the LQCC report, and received none.

In August 2012, I once again requested for a response, and finally received a reply from "Your Quality Team", who said they did not have an expected target release for this fix yet.

They then set the report to "Hibernating" mode, which sure doesn't sound good.

It is now 2013. Post-KickStarter, RunRev will be implementing a revamp to LiveCode, while offering dual-licensing.

Given that the main difference between the commercial version and the open source version is script security, this has become an issue of even greater importance.

And yet, there has been no word about when this security issue will be fixed.

The LQCC report remains "hibernated".

So the question is, when exactly will this issue finally and actually be fixed?

Also, if it still isn't fixed once dual-licensing is up and running, then what would be the point of releasing closed-source applications when the code is going to be right there in memory unencrypted, for thieves to steal?

Does no one else think this is an important issue that needs to be addressed immediately?

- Lyn