[Edu-sig] DocTest Quiz

Mon Apr 24 04:08:05 CEST 2006

On 4/23/06, Ian Bicking <ianb at colorstudy.com> wrote:

> > ... except for being the client at the lowest level,  it
> > looks a lot like an XML-RPC server, interpreting known requests
>
> XML-RPC is just specially-formatted HTTP requests, so it wouldn't effect
> any port security.

I wonder if I am succeeding in making myself clear. Let me try to boil it down.

Imagine that I am just a kid whose parents have bought me an AOL login
or something, so (in general) I can't service HTTP requests.

But I *can* make them. So I can run client code that requests a test
and then requests validation of my response to that test, over HTTP.
In a nutshell that is my proposal.

>
> >> If there were student-contributed doctests this
> >> seems like a potential concern.
> >
> > Yes, this is the problem with my approach. I don't handle that, and
> > that is why a sandbox solution is still a good idea.
>
> If everything is purely run on the client side, it's probably not *that*
> big of a deal, if you only accept code from 'trusted' students, i.e.,
> students actually in the class, or doctests vetted by some trusted group
> (e.g., teachers moderating a wiki).  Then the students can only mess up
> other people's computers to same degree they can mess up their
> computers, which if you are in a lab isn't a big deal (and you probably
> need a restoration process for other reasons anyway).

"It's not *that* big a deal" does seem to be the answer to the sandbox
question in education. If we aren't exchanging money or signing
contracts, the occasional malfeasance might not be that consequential.

But if we are running everything client side we need trusted TESTS for
sure, because the evil cousin could as easily hack the test as the
target code. The school serving as instrument for infecting the
citizen's computer by evil doctests would not go over very well in
most jurisdictions. I do think such a thing potentially has great
value, but it might be very tricky to run such code client side, at
least prior to some of the major efforts we have started to discuss
here.

A specialized client running an invisible test delivered from a
trusted server seems to me to be a useful tool, that is very safe and
rather easy to deploy is straughtforward. It could be stitched
together quickly, has practically zero security issues, and allows
tests to be performed and validated on any computer which can make
outbound web requests. I think that's valuable.

mt