Re: Question and project

[Guillaume Proux <gproux acesoliton com>]

George wrote:
> a bit worried about the scripting and "evil" (trojan horse) themes.  Though
> the commands are run as the gdm user, [...]

It took quite a bit of time to understand what you meant by trojan horse 
themes. I was assuming that somebody would not use a theme they would 
not trust in the first place... But if the theme is static, there is no 
such problem :)
To prevent any "bad" thing from happening, would it be possible to just 
change the id to a hypersage user (nobody?), chroot the executable 
somewhere safe (inside gdm data dir). Then we don't really need to be 
extra-paranoid as the trojan would be able to get to nothing but what 
was installed with the theme?
The only thing which is not so good there:
-> the trojan could open a hole through sockets and be controlled by an 
external bad guy to become part of a giant DDOS. (Imagine the title in 
the news: GDM-Love-DDOS)

At the end of the day, it will still be a matter of trust or not.

What is the difference between a theme and a normal program (such as 
gdm)? For me, none, they still must be installed and it is the sysadmin
work to verify that they are no danger to stability, etc...
Of course, I recognize that we should have a GUI to warn the sysadmin
that a particular theme has exe in it. But this should not be necessary
if we could have signed theme packages.

All those discussion led me to think about two new possible features:
- keep themes in tarballs (easier to manage!) and gdm opens the tarball 
itself to get its content.
- Have a new part of the theme change interface that can connect 
directly to the themes repository (www.art-gnome.org or...) and get
thumbnails of all themes available to download them and install them 
directly from the admin console.

cheers,

Guillaume