On Fri, Mar 16, 2012 at 4:13 PM, Benjamin Smedberg
<[email protected]> wrote:
> On 3/16/2012 11:11 AM, Ben Francis wrote:
>>
>> B2G applications are Open Web Apps, you can read about them here
>> https://developer.mozilla.org/en-US/apps
>>
>> They're hosted on a web server like a web site, there's no packaging
>> format
>> but they may be cached locally using the existing appcache standard.
>
> Not to belabor the point, but it's clear that people are calling into
> question the wisdom of this stance.
ok, i thought about it.
if you create a URI scheme which supports "apt://{packagename}" then you can:
* have a B2G app or a gaia app contained within the URI
* create a frame which says <iframe src="apt://mywidget" width="400"
height="300" />
* if the package isn't installed, it triggers the downloading (and
permissions review)
* if the package *is* installed, it triggers displaying that app in the iframe
if you also create a URI scheme which supports
"deb://{locationofdotdebarchive}" then you can do the exact same trick
but *not* need a complete "store", you can also warn people "this
package has not been signed or vetted, you risk installation of
viruses, you are on your own", again if the package has been
installed, it pulls up the application.
this would seem to cover all the angles:
* safe lovely trusted stores
* unsafe lovely but easy-for-people-to-develop-without-a-store apps
* still works via URLs so is conceptually dead easy for people to understand.
* still forces things to go via a security audit (of some
yet-to-be-spec'd degree)
* upgrades and dependencies are a doddle (covered by apt-get upgrade).
l.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
