On Wed, 2006-08-02 at 10:45 +1000, Nigel Tao wrote: > On 8/2/06, Shaun McCance <[EMAIL PROTECTED]> wrote: > > With an automated listy-clicky thing, you don't get to see > > explicit files, and you have no way of checking against a > > checksum or a digital signature. > > Yeah, an example: suppose there's a hypothetical > intended-for-use-for-five-years distro that shipped this listy-clicky > thing (without some means of verification). One day, years down the > track, some user goes through the GUI, and picks up the master list > from http://raphael.slinckx.net/deskbar/repository/deskbar-repository.xml > [1], which links to > http://some.web.site/my-awesome-deskbar-extension.tar.bz2. This code > looked good at the time it was added to the master list, but in the > mean time, the domain registration for some.web.site expired and a > villian has picked it up, and now serves up evil spyware versions of > the extension to our poor user. Bad. > > [1] Really, if NewStuffManager is to be part of GNOME, a stable > version of NewStuffManager should only point to a master list hosted > somewhere under gnome.org, I reckon.
This is something else I meant to mention. Once that URL is in a stable shipping product, it can (and should) be considered a stable API. We can never remove that URL without breaking existing installations of Gnome. -- Shaun _______________________________________________ desktop-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
