[ Aren Olson ] > Packaging them raises a few problems, namely > > 1) our current architecture isn't designed to support this > 2) we can't distribute updates to plugins quickly if, for example, the > API for a particular web service is changed > > in discussion of this bug in launchpad, we came up with the following > possible solution: > > 1) store an sha/md5 hash of the plugin archive in the plugin list > 2) GPG sign this plugin list
The problem with doing this is establishing trust. Users will not only need GPG installed, they'll need to import the key that was used to sign the list, and they'll need to know that it's a key that can be trusted (i.e. that it's actually your key). Basically, it constitutes some improvement in security, but at the cost of being a pain to do /correctly/. > in the event that the user does not have GPG installed, downloading > from the internet would be disabled. > > if this is acceptable, we will implement it and release it in 0.2.14 > > on another note, exaile 0.3 will allow for packaging plugins and for > installing plugins from manually-downloaded files as well as from the > server, so for the 0.3 series you will be able to distribute the > plugins as packages and we can still distribute updates to the user > via our system if they choose to enable updates and have GPG > installed. This sounds like a win-win. -- Eric Evans [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
