Automatic Script Updater
Mark Kretschmann
kretschmann at kde.org
Thu Oct 8 16:12:40 CEST 2009
> On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
>> > I don't think third-party scripts should be a part of this system. Who
>> > signs them off? By definition not us, as they are 3rd-party. We can't be
>> > the gateway for all 3rd-party script updates. But we don't want to allow
>> > random developers to inject code in amarok ad-hoc.
>>
>> we can sign the keys of "trustworthy" (a term that has to be defined then)
>> script developers. This way we don't have to sign each and every update but
>> just have to verify that the key used to sign an update was signed by our
>> key. The script package would need to contain the public key and our
>> signature for it then.
>>
>> Trustworthy could be someone
>> * we know personally
>> * has given good contributions to the community for some time
>> * we know the real identity of
>> or something like that.
Sorry, but "trustworthy" would never work in real life. Who wants to
take responsibility?
Let's say that you trust me in general. In reality you would only
trust me with certain things, e.g. fetching ice cream, programming UI
code, whatever. But you would not trust me to do a medical checkup on
you.
Even if you did trust me with medicine, I could screw up. The same
applies to 3rd party contributors, as an analogy.
--
Mark Kretschmann
Amarok Developer
www.kde.org - amarok.kde.org
More information about the Amarok-devel
mailing list