tma 2021-12-30: Under Windows 'alited' creates a directory '.config' in the users home directory with every start. Application config files should be in APPDATA=C:\Users\<UserName>\AppData\Roaming\<AppName>.

HE 2021-12-30: Alited looks promising but directly after starting I found one or better, two issues which let me directly stop my experiments.

Opening a ticket on github is only possible for registered users so this is not a possible way for me to inform the author.

Therefore, I added a Discussion section to provide what I found.

Alited opens a server socket on 127.0.0.1:51837 by using the package comm. This is not possible to change without changing the code. Neither the used port nor that the port is opened for listening.

This is an issue in a couple of cases:

• The port is used for some reason other than alited. Alited will never show itself on the GUI. Moreover, there is no warning what went wrong and a look into the task list shows that alited is still running.
  That means it hangs forever. Or, at least for a couple of minutes before I killed these processes.
  Reason is a missing timeout when using "::comm::comm send $comm_port" to test if the task using the port is a alited instance. There is no guarantee that a listener port is answering the connection attempt. And then alited hangs.
• It is not possible to use two instances of alited in parallel. For example, I'm often working on different programs at the same time using different virtual work spaces. In such cases I want different instances.
  Reason is that the used port is not configurable. We can use more than one configuration file but, they use always the same port.
• This open port is a security thread because it allows other users on the same machine to send commands to a running alited instance. I tried:

                Two user foo and foo1.
                foo starts alited.
                foo1 starts tclsh and executes the following:

                        package require comm
                        comm::comm send 51837 exec touch ~/securityIssue.txt
                        comm::comm send 51837 exit
                        exit

This created a new text file and than closed the alited instance of foo. To make it clear, this allows everything to be executed by foo1 in context of foo what exec accepts. So you can destroy all the data foo can reach.

I don't understand the need to use comm with -listener 1 for alited. The documentation does not describe a use case for it. At least I doesn't find it.

To remote control an application to be tested, the listener mode of comm is not needed in alited.

To check for another running instance of the user also can be done in a different way. For example, assuming a local installation of the user with a lock file.

Perhaps one can explain the reason for using comm in listener mode?

aplsimple - 2021-12-31 01:55:17

Happy New Year for all of you!

Hi TMA,

Hopefully, in the upcoming 2022 Bill (or anyone who'd be after him) will not change his mind and the Roaming directory will not turn to some RoamingNeverSayNever.

alited might finely do without the starting question on .config, still it's one of its nice features - to have as much configuration directories as you need. Somewhere in the docs I mention this, it seems to be First start section.

---

Hi Holger,

Why don't register in Github? Making so nice analysis on comm and two instances of alited - and so averting from Github? The Git and Github aren't wild beasts, they don't bite:) Still the issues of Github would allow guys to get the troubles immediately on the mail, the feature alas they have not with Wiki's Comments and Chiselapp's Tickets.

That said, alited is more about Tcl/Tk development than those entourage things. The alited is better than Geany and TKE. Imho much better. You might see it in its demo of units https://github.com/aplsimple/alited/releases/download/2.Units_alited-1.0.6/2.Units_alited-1.0.6.mp4 not to say of other sides, be them dark or lite.

HE 2021-12-31: Hello Alex,

Thanks for the fast answer. That means at least that you now knows about the security issue in alited. So, my way worked even without to be registered in Github.

By the way, Github is software and it can't bite without hardware. So I'm pretty sure before your comment that Github don't byte ;-)
But, I don't want to register in all the different platforms only to open a ticket. At the end I have to remember all the accounts and passwords for one ticket every n years.

Tcl and Tk for example you can open a ticket without having an account. For sure you have to give an email address but, this is okay because it is not public shown.

And you don't need to advertise alited again. I would be more interested what you want to do with the listed cases.

As you can see I made an analysis with two instances of alited, two users and also some steps showing possibly dangerous commands.
And I documented it here for all potential users.
I also tried a quick search through the provided documentation why alited needs that listener port beside to find out that an instance is still running.

I can change the behavior that it would fit my needs but I can't provide you a patch for that, because I don't know why you programmed it in this way or what is the use case behind it.

And it makes no sense to create a patch to make the port configurable if the only use case is to detect a running instance of alited. Because in that case I would use a different approach.

And it makes also no sense to make a deep dive into the comm package for me. The mechanism has that possible security issue. Perhaps it can be solved by using tls and certificates. But, this is behind my current experience and far to much effort to make a foreign program running safely. I'm even not sure if there is an easy way by using sockets.

Keep in mind that I simply wanted to try alited.