Automatic Script Updater

[Jakob Kummerow]

Apparently you have quite mixed opinions about what to do with
3rd-party scripts. I think there's no rush to decide anything; as I
said the updater will install any updates it finds, so it's just a
matter of putting them onto the server -- *which* updates to put there
can therefore be decided on a case-by-case basis.
I think we *could* be the central updating gateway for 3rd-party
scripts if we wanted to; on the other hand that isn't directly
necessary as 3rd-party script authors can update their scripts any
time they want to anyway, deploying the update via GHNS (which, of
course, requires user interaction, i.e. users have to check for
updates and apply them manually). So, if in a particular case we think
that it's extremely important for an update to a 3rd party extension
to be deployed, we could use our automatic updater for that by just
putting the update on our server; but I don't think that this case is
very likely to occur.
Adding 3rd-party keys that are in turn signed by our key would be
possible as well. If we come to agree that we want this, I'd propose
to add it in a later version. Also, we could use the script.spec file
to let each script define individually where to get its updates from,
so a central repository (such as our server or kde-apps.org) wouldn't
even be necessary.

Nobody ever said that my updater in its current form was the best
solution for all eternity (for example, if GHNS ever supports
auto-updates, we might switch to using that). But I firmly believe
that having it is better than not having it, so I'd like to merge it
into master before it's too late for 2.2.1. Do I have permission to do
so?

With respect to merging, two things need to be decided:

(1) Which URL should I define for the updates repository?
http://amarok.kde.org/updates?

(2) Who generates the key pair that will be used? (The public key must
be set in ScriptUpdater.h.)
I can do that, if you want me to, but I wouldn't be surprised (nor
angry) if you decided to keep that responsibility among long-term
Amarok developers.
In the former case, we would then need to discuss how I can transmit
the private key to a select few other developers, because it wouldn't
be wise to have only one person who can create signatures. Sending the
key file itself in an encrypted e-mail and the associated password via
snail-mail would be secure enough and relatively easy to do, I'd say.
In the latter case, would someone please generate a key (using the
tool from my git clone at
http://gitorious.org/~jmrk/amarok/jmrk-clone/trees/scriptupdater or
from the patch in the first mail of this thread, starting it as
'amarok-update-signer keygen') and email me the public key? (As the
name "public key" implies, it does not need to be kept secure and can
easily be transmitted via unencrypted e-mail.)

Jakob