Automatic Script Updater

[Leo Franchi]

ccing to list

On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
> Heya,
> 
> > I don't think third-party scripts should be a part of this system. Who
> > signs them off? By definition not us, as they are 3rd-party. We can't be
> > the gateway for all 3rd-party script updates. But we don't want to allow
> > random developers to inject code in amarok ad-hoc.
> 
> we can sign the keys of "trustworthy" (a term that has to be defined then)
> script developers. This way we don't have to sign each and every update but
> just have to verify that the key used to sign an update was signed by our
>  key. The script package would need to contain the public key and our
>  signature for it then.
> 
> Trustworthy could be someone
> * we know personally
> * has given good contributions to the community for some time
> * we know the real identity of
> or something like that.
> 
> If the key shipped with the package is not signed by us we can let the user
> decide what to do. Maybe Amarok should also alert the user if the key
>  changes between two versions, especially if the new key is not longer
>  signed by us, but the old one was.
> 
> To complete the scheme a blacklist of revoked keys we no longer trust would
> be nice.
> 
> Sooner or later third party scripts will have security holes, too, might
> crash an updated Amarok or do other bad stuff, and without an update
>  mechanism our users will hate us for it.
> 

-- 
Leo Franchi                             (512) 775 5637
Tufts University 2010

lfranchi at kde.org
leonardo.franchi at tufts.edu