Why doesn't evalable6 allow for private messages?

[lizmat]

If you want to try out things when camelia is down and don't want to bother the rest of the world?

[MasterDuke17]

Because it has fewer restrictions than camelia, so we want to be sure to be able to see what's being run. However, you can join #whateverable if you don't want to spam the main channels.

[AlexDaniel]

Because it has fewer restrictions than camelia

Actually, not really. Camelia didn't have any proper restrictions. All it did was use the RESTRICTED misfeature in rakudo, which as far as I know no longer works.

perlbot answers private messages and is pretty safe:

15:02:05 <AlexDaniel> r: say 42
15:02:07 <perlbot> 42␤

It's a bit slower and it doesn't follow rakudo master, but at least you can talk to it privately.

There's a PR for camelia that attempts to make it a bit more secure: Raku/evalbot#11

[AlexDaniel]

See also: #25

[AlexDaniel]

This and #374 are the same issue, I think.

Due to progress in #388, all bots are now dockerized, and they have a very limited amount of write access to anything. For example, they cannot delete builds, because only Buildable has write access to them (previously they could!).

As a result, I think we can now be way more permissive. Of course, letting people run arbitrary code is always a bad idea, but these bots have always been somewhat permissive to let people get things done. And compared to running directly on the server (even though they were very limited by systems), containers are a lot more secure.