Re: Deskbar Applet, NewStuffManager, 2.16, Installing New Plug-Ins, AutoUpdate, etc.

[Shaun McCance <shaunm gnome org>]

On Wed, 2006-08-02 at 10:45 +1000, Nigel Tao wrote:
> On 8/2/06, Shaun McCance <shaunm gnome org> wrote:
> > With an automated listy-clicky thing, you don't get to see
> > explicit files, and you have no way of checking against a
> > checksum or a digital signature.
> 
> Yeah, an example: suppose there's a hypothetical
> intended-for-use-for-five-years distro that shipped this listy-clicky
> thing (without some means of verification).  One day, years down the
> track, some user goes through the GUI, and picks up the master list
> from http://raphael.slinckx.net/deskbar/repository/deskbar-repository.xml
> [1], which links to
> http://some.web.site/my-awesome-deskbar-extension.tar.bz2.  This code
> looked good at the time it was added to the master list, but in the
> mean time, the domain registration for some.web.site expired and a
> villian has picked it up, and now serves up evil spyware versions of
> the extension to our poor user.  Bad.
> 
> [1] Really, if NewStuffManager is to be part of GNOME, a stable
> version of NewStuffManager should only point to a master list hosted
> somewhere under gnome.org, I reckon.

This is something else I meant to mention.  Once
that URL is in a stable shipping product, it can
(and should) be considered a stable API.  We can
never remove that URL without breaking existing
installations of Gnome.

--
Shaun