> And you think malware couldn't put up a systray icon tricking you into > thinking you have updates? You think you would be able to tell the > difference? The panel icon is just as fakeable as the popup.
Disagree. Because update-manager does not require gksudo, there is no screen dimming or anything else that indicates in an obvious manner that it is an actual update window and not a popup coming from the browser. (I'm not talking about popup in the browser window sense, I'm talking about popups in the z-index sense, they can work because it is very common for the user to use the browser fullscreen) Thinking better, *even* with screen dimming the user can be tricked: all it needs is from him to have a dark theme (so the non-dimming of the browser toolbar and the panel would be less noticeable) And the most important: Saying "both alternatives are insecure, so since it will be insecure anyway let's forget the issue" is not exactly the optimal way of solving a problem. We should look for a third alternative if needed. _______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp