Automatic Script Updater

Leo Franchi lfranchi at kde.org
Fri Oct 16 15:36:22 CEST 2009 

(top-posting to summarize)

for now, why don't we do the script updater just for the scripts that  
we bundle with amarok. we'll do the hosting on kollide, one or two of  
us will have the private key, and we can see how it works in practice.

if it's not as we want, we can always revert for 2.2.1 and try again  
for 2.2.2. But it's worth a shot, especially as the code is already  
written.

leo


On 10 Oct 2009, at 07:25, Jakob Kummerow wrote:

> Apparently you have quite mixed opinions about what to do with
> 3rd-party scripts. I think there's no rush to decide anything; as I
> said the updater will install any updates it finds, so it's just a
> matter of putting them onto the server -- *which* updates to put there
> can therefore be decided on a case-by-case basis.
> I think we *could* be the central updating gateway for 3rd-party
> scripts if we wanted to; on the other hand that isn't directly
> necessary as 3rd-party script authors can update their scripts any
> time they want to anyway, deploying the update via GHNS (which, of
> course, requires user interaction, i.e. users have to check for
> updates and apply them manually). So, if in a particular case we think
> that it's extremely important for an update to a 3rd party extension
> to be deployed, we could use our automatic updater for that by just
> putting the update on our server; but I don't think that this case is
> very likely to occur.
> Adding 3rd-party keys that are in turn signed by our key would be
> possible as well. If we come to agree that we want this, I'd propose
> to add it in a later version. Also, we could use the script.spec file
> to let each script define individually where to get its updates from,
> so a central repository (such as our server or kde-apps.org) wouldn't
> even be necessary.
>
> Nobody ever said that my updater in its current form was the best
> solution for all eternity (for example, if GHNS ever supports
> auto-updates, we might switch to using that). But I firmly believe
> that having it is better than not having it, so I'd like to merge it
> into master before it's too late for 2.2.1. Do I have permission to do
> so?
>
> With respect to merging, two things need to be decided:
>
> (1) Which URL should I define for the updates repository?
> http://amarok.kde.org/updates?
>
> (2) Who generates the key pair that will be used? (The public key must
> be set in ScriptUpdater.h.)
> I can do that, if you want me to, but I wouldn't be surprised (nor
> angry) if you decided to keep that responsibility among long-term
> Amarok developers.
> In the former case, we would then need to discuss how I can transmit
> the private key to a select few other developers, because it wouldn't
> be wise to have only one person who can create signatures. Sending the
> key file itself in an encrypted e-mail and the associated password via
> snail-mail would be secure enough and relatively easy to do, I'd say.
> In the latter case, would someone please generate a key (using the
> tool from my git clone at
> http://gitorious.org/~jmrk/amarok/jmrk-clone/trees/scriptupdater or
> from the patch in the first mail of this thread, starting it as
> 'amarok-update-signer keygen') and email me the public key? (As the
> name "public key" implies, it does not need to be kept secure and can
> easily be transmitted via unencrypted e-mail.)
>
> Jakob
> _______________________________________________
> Amarok-devel mailing list
> Amarok-devel at kde.org
> https://mail.kde.org/mailman/listinfo/amarok-devel

---
Leo Franchi				(512) 775 5637
Tufts University 2010

lfranchi at kde.org
leonardo.franchi at tufts.edu

More information about the Amarok-devel mailing list