Re: Deskbar Applet, NewStuffManager, 2.16, Installing New Plug-Ins, AutoUpdate, etc.

On Tue, 2006-08-01 at 20:36 +0200, Isak Savo wrote:
> 2006/8/1, Vincent Untz <vuntz gnome org>:
> > Hi,
> >
> > Le mardi 01 ao�06, �1:42, Nigel Tao a �it :
> > > > > You mean running untrusted code from the Web?
> >
> > > > Nigel said it would be possible to secure it a bit using GPG keys.
> > > > Maybe this kind of signing should be made a requirement.
> > >
> > > Well, should signing be necessary and/or sufficient, and who makes
> > > that decision?
> >
> > Here's my opinion:
> [...]
> >  + I wouldn't want to see this active until we have a proper way to make
> >    this "secure".
> >
> > I'm no expert in security, so I can't help that much. Would waiting for
> > the 2.18 release cycle be an issue for desbkar? It could leave us time
> > to properly handle the security/trust issue and to make other modules
> > use this.
> If I get this right, the NewStuffManager thingly is just an easier way
> to download and install plugins ("new stuff"), right?
> As such, I don't really see why this thing would be impose any
> security issues that didn't exist earlier. Lots of applications
> already have a plug-in system, and to my knowledge, they also allow
> extra plugins to be installed in $HOME (i.e. without root access). The
> only thing that's changed is that it's suddenly possible to install
> them without manually downloading and copying files to hidden
> directories.
> If plugins are a security issue, then don't provide a plugin
> architecture. Don't rely on the fact that it's hard to install plugins
> as a way to ensure the user's system is secure[1]. Things like social
> engineering will breach that wall sooner or later anyway...

That's not exactly the issue people are worried about.  When
the plugins are provided on the web, there are steps people
can take to ensure their integrity.  I can provide checksums
of all my tarballs (as we do on and the person
downloading them can manually check those.

It certainly isn't elegant, but at least people can protect
themselves from man-in-the-middle attacks, even if it means
extra manual work.

With an automated listy-clicky thing, you don't get to see
explicit files, and you have no way of checking against a
checksum or a digital signature.  (Also, checksums aren't
all that useful for protecting yourself, since if somebody
is sitting between you and the server feeding you different
data, he's presumably competent enough to feed you another


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]