Hello, our school are hoping to use Sonic Pi with years 7 and 8. I have tried it out and can see it being very popular with the students. However, please could you explain whether the Sonic Pi environment is secure, or whether it can execute Ruby instructions other than those used by Sonic Pi.
Welcome to in-thread. Itâs great that you are hoping to use Sonic Pi with 7 and 8 year olds in your school.
Sonic Pi will allow some but not all Ruby commands in its user programs, but I donât think it is much of a security risk. I donât think system calls will work for example. I have however used file handling calls in a couple of programs, where they have been useful in storing data. eg in this project Sonic Pi 3 Record/Player using TouchOSC
Many schools use Sonic PI and I donât think you need to worry unduly about security risks. There are plenty of commands which are documented for use in Sonic Pi, and you donât need to include others to use it very successfully. The use of âotherâ Ruby commands in Sonic Pi is not supported in the built in documentation, nor is it indeed necessary to use them.
On the input side, Sonic Pi can respond to incoming OSC messages. There is a switch which is normally off to prevent these from originating from other computers, but this can be turned on if you wish to communicate with Sonic Pi from an external machine.
great to hear that youâre considering using Sonic Pi in your school.
For the record, Sonic Pi is as secure as running Python or working on the command prompt. It is very possible to âshell outâ to remote processes as you can from any standard programming environment, but this only allows you to do as much as your user could do by clicking a mouse and typing on the keyboard. For example, you can delete files from Sonic Pi (if you know the correct thing to type) but youâre only limited to being able to delete the same files you would be able to delete from Windows Explorer or the Finder on Mac. This is precisely the same behaviour and security connotations as you would get running a standard Python program.
I should also add that over the 5 years or so that Sonic Pi has been publicly available weâre yet to get any security complaints or security bugs. This is not to say that these wonât happen or donât exist (no software is 100% secure) but it should give you some confidence that there are no major obvious known issues.
Thank you for your reply. We only allow our students to use Python in a Virtualbox environment. Do you know if other schools are putting Sonic Pi into a Virtualbox (or another virtual environment).
I can speak for my school that we just run SPi straight out of Ubuntu. Having used distros with Jackd in VMs (VBox in particular) in the past, I see no reason why it wouldnât work at least ok, but Iâd get as much CPU and memory to the guest as possible because students love to quickly push boundaries, like seeing what a sleep of 0.0000001 will do. Because itâs audio Iâd ultimately suggest against it, but I understand the needs of your secure environment.
And this is a fascinating thread. I have a buddy who works for Optiv security who Iâm starting to get into SPi. Weâve discussed âhow do you attack somebody via SPiâ in a hypothetical sense, but Iâll make the convo a bit more realistic next time.