Automatic Script Updater

[Casper van Donderen]

I feel like that for an incremental update the same key should be used and for new scripts it has to be reviewed. 

Casper 
------Original Message------
From: Mark Kretschmann
To: lfranchi at kde.org
To: amarok-devel at kde.org
ReplyTo: amarok-devel at kde.org
Subject: Re: Automatic Script Updater
Sent: Oct 8, 2009 16:12

> On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
>> > I don't think third-party scripts should be a part of this system. Who
>> > signs them off? By definition not us, as they are 3rd-party. We can't be
>> > the gateway for all 3rd-party script updates. But we don't want to allow
>> > random developers to inject code in amarok ad-hoc.
>>
>> we can sign the keys of "trustworthy" (a term that has to be defined then)
>> script developers. This way we don't have to sign each and every update but
>> just have to verify that the key used to sign an update was signed by our
>>  key. The script package would need to contain the public key and our
>>  signature for it then.
>>
>> Trustworthy could be someone
>> * we know personally
>> * has given good contributions to the community for some time
>> * we know the real identity of
>> or something like that.

Sorry, but "trustworthy" would never work in real life. Who wants to
take responsibility?

Let's say that you trust me in general. In reality you would only
trust me with certain things, e.g. fetching ice cream, programming UI
code, whatever. But you would not trust me to do a medical checkup on
you.

Even if you did trust me with medicine, I could screw up. The same
applies to 3rd party contributors, as an analogy.

-- 
Mark Kretschmann
Amarok Developer
www.kde.org - amarok.kde.org
_______________________________________________
Amarok-devel mailing list
Amarok-devel at kde.org
https://mail.kde.org/mailman/listinfo/amarok-devel