Hello, our school are hoping to use Sonic Pi with years 7 and 8. I have tried it out and can see it being very popular with the students. However, please could you explain whether the Sonic Pi environment is secure, or whether it can execute Ruby instructions other than those used by Sonic Pi.
Thanks and regards
Welcome to in-thread. It’s great that you are hoping to use Sonic Pi with 7 and 8 year olds in your school.
Sonic Pi will allow some but not all Ruby commands in its user programs, but I don’t think it is much of a security risk. I don’t think system calls will work for example. I have however used file handling calls in a couple of programs, where they have been useful in storing data. eg in this project Sonic Pi 3 Record/Player using TouchOSC
Many schools use Sonic PI and I don’t think you need to worry unduly about security risks. There are plenty of commands which are documented for use in Sonic Pi, and you don’t need to include others to use it very successfully. The use of “other” Ruby commands in Sonic Pi is not supported in the built in documentation, nor is it indeed necessary to use them.
On the input side, Sonic Pi can respond to incoming OSC messages. There is a switch which is normally off to prevent these from originating from other computers, but this can be turned on if you wish to communicate with Sonic Pi from an external machine.
great to hear that you’re considering using Sonic Pi in your school.
For the record, Sonic Pi is as secure as running Python or working on the command prompt. It is very possible to ‘shell out’ to remote processes as you can from any standard programming environment, but this only allows you to do as much as your user could do by clicking a mouse and typing on the keyboard. For example, you can delete files from Sonic Pi (if you know the correct thing to type) but you’re only limited to being able to delete the same files you would be able to delete from Windows Explorer or the Finder on Mac. This is precisely the same behaviour and security connotations as you would get running a standard Python program.
I should also add that over the 5 years or so that Sonic Pi has been publicly available we’re yet to get any security complaints or security bugs. This is not to say that these won’t happen or don’t exist (no software is 100% secure) but it should give you some confidence that there are no major obvious known issues.
Thank you for your reply. We only allow our students to use Python in a Virtualbox environment. Do you know if other schools are putting Sonic Pi into a Virtualbox (or another virtual environment).
I can speak for my school that we just run SPi straight out of Ubuntu. Having used distros with Jackd in VMs (VBox in particular) in the past, I see no reason why it wouldn’t work at least ok, but I’d get as much CPU and memory to the guest as possible because students love to quickly push boundaries, like seeing what a sleep of 0.0000001 will do. Because it’s audio I’d ultimately suggest against it, but I understand the needs of your secure environment.
And this is a fascinating thread. I have a buddy who works for Optiv security who I’m starting to get into SPi. We’ve discussed “how do you attack somebody via SPi” in a hypothetical sense, but I’ll make the convo a bit more realistic next time.
Thanks for all your replies. We feel reassured and have installed SonicPi on our Music computers (Windows 7).
That’s fab to hear - please do let us know how you get on with it