Quoting Felipe Sateler (2017-10-04 00:32:21) > On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard <d...@jones.dk> wrote: >> Quoting Felipe Sateler (2017-10-03 23:32:24) >>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <d...@jones.dk> wrote: >>>> Kodi supports downloading and loading addons at runtime. >>>> >>>> Official addon feed is served only via http and contain non-free >>>> addons. >>>> >>>> Allowing to extend the system with non-free addons at runtime by >>>> default is arguably an anti-feature in itself. Doing so insecurely >>>> poses a risk of malicious code getting into users' home and >>>> executed by Kodi. >>>> >>>> Attached patch relaxes to make addon feed optional. >>> >>> Making plugin feeds optional sounds good though. >> >> Right. >> >> I realize my choice of words might be confusing: feed is optional in >> code with the patch, meaning it won't fail to start if missing. On >> the packaging level I however intend at first to have kodi >> _recommend_ the feed, so it will be pulled in by default - so until >> an alternative exist it is an "opt-out" not an "opt-in". > > BTW, I think there are two issues conflated here: > > 1. Insecure downloading of code > 2. Non-free addons available by default. > > I think your patch mainly addresses issue number 2, doesn't it? Fixing > issue 1 would require asking upstream to provide > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade > to a better hash algorithm).
Uhm, my patch is the very window to not requiring upstream to solve the security issue: When I can setup a curated service with DFSG-free parts, then (because my code will be released as Free software) you can setup a curated service of all parts. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
