On Sun, Aug 10, 2008 at 09:38, Eric Evans <[EMAIL PROTECTED]> wrote: > [ Aren Olson ] >> Packaging them raises a few problems, namely >> >> 1) our current architecture isn't designed to support this >> 2) we can't distribute updates to plugins quickly if, for example, the >> API for a particular web service is changed >> >> in discussion of this bug in launchpad, we came up with the following >> possible solution: >> >> 1) store an sha/md5 hash of the plugin archive in the plugin list >> 2) GPG sign this plugin list > > The problem with doing this is establishing trust. Users will not only > need GPG installed, they'll need to import the key that was used to > sign the list, and they'll need to know that it's a key that can be > trusted (i.e. that it's actually your key). Basically, it constitutes > some improvement in security, but at the cost of being a pain to do > /correctly/.
we'll ship the key in Exaile's source, which users have to trust in the first place when they install exaile. > >> in the event that the user does not have GPG installed, downloading >> from the internet would be disabled. >> >> if this is acceptable, we will implement it and release it in 0.2.14 >> >> on another note, exaile 0.3 will allow for packaging plugins and for >> installing plugins from manually-downloaded files as well as from the >> server, so for the 0.3 series you will be able to distribute the >> plugins as packages and we can still distribute updates to the user >> via our system if they choose to enable updates and have GPG >> installed. > > This sounds like a win-win. > I'll get right on it then. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]