On Sun, Aug 10, 2008 at 09:38, Eric Evans <[EMAIL PROTECTED]> wrote:
> [ Aren Olson ]
>> Packaging them raises a few problems, namely
>>
>> 1) our current architecture isn't designed to support this
>> 2) we can't distribute updates to plugins quickly if, for example, the
>> API for a particular web service is changed
>>
>> in discussion of this bug in launchpad, we came up with the following
>> possible solution:
>>
>> 1) store an sha/md5 hash of the plugin archive in the plugin list
>> 2) GPG sign this plugin list
>
> The problem with doing this is establishing trust. Users will not only
> need GPG installed, they'll need to import the key that was used to
> sign the list, and they'll need to know that it's a key that can be
> trusted (i.e. that it's actually your key). Basically, it constitutes
> some improvement in security, but at the cost of being a pain to do
> /correctly/.
we'll ship the key in Exaile's source, which users have to trust in
the first place when they install exaile.
>
>> in the event that the user does not have GPG installed, downloading
>> from the internet would be disabled.
>>
>> if this is acceptable, we will implement it and release it in 0.2.14
>>
>> on another note, exaile 0.3 will allow for packaging plugins and for
>> installing plugins from manually-downloaded files as well as from the
>> server, so for the 0.3 series you will be able to distribute the
>> plugins as packages and we can still distribute updates to the user
>> via our system if they choose to enable updates and have GPG
>> installed.
>
> This sounds like a win-win.
>
I'll get right on it then.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
