[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: running scripts as user "nobody"
From:       Andras Mantia <amantia () kde ! org>
Date:       2006-07-13 20:03:56
Message-ID: 200607132303.56217.amantia () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Thursday 13 July 2006 07:27, Robby Stephenson wrote:
> Is there a feasible way, at
> all, to enable a user to download scripts that update or expand an
> app's functionality? Is is to use KNewStuffSecure? Is is just to have
> the app link to a webpage that puts big red letters on a page and
> requires 4 clicks to download the script?

I think some kind of verifying the source is needed, and we decided that 
gpg signing is a good choice. What your app should not never do is to 
execute those scripts without the user's letting them to run. 
Exceptions might be such extensions that are written in your own 
scripting language, with limited API and controlled/processed by your 
application.
So I suggest:
- use KNewStuffSecure
- warn the user with some dialogs
- controll what the users can download. With KNewStuff this is easy, you 
put only the verified scripts on the server. 


Andras

-- 
Quanta Plus developer - http://quanta.kdewebdev.org
K Desktop Environment - http://www.kde.org

[Attachment #5 (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]