On 6 October 2010 12:08, Robert Collins <robert.coll...@canonical.com> wrote: > Ok, so what *should* we aim at?
Not doing anything that would get in the way of Ubuntu supporting TCB (an ill-defined term in this context), or make it overly hard to support it in the future. istm that writing our own desktop agent will just increase the amount of code that needs to be updated in this context. Suppose today you for some reason needed to run some code that you thought possibly would be hostile. I would not run it in the same X session or user account as my real work. I would probably run it in a vm; ideally with some external firewalling of its network connectivity. Launchpad tokens support that tolerably well: give a new token to that vm. Perhaps create a new bot account specifically for it. The problems would be mostly: * the permissions are very coarse: if you can get by giving it only anonymous access that's great; but if it can write under your account it can cause a fair bit of damage * the ui to revoke tokens is not great. One good thing in lp is that it does tend to send mail to people which gives you an audit trail of kinds. -- Martin _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
