Chris Browet wrote:
I guess an hybrid solution would work, if merkaartor is split into multiple components using the Qt plugin system: - Have releases as it is now - Make merkaartor checks for updated components online, download them in the homedir, and make merkaartor use those ones instead of the packaged ones if their versions is greater.
I don't know if it's really a good idea on Linux to forcefully bypass the package manager! If I want to keep a software up-to-date as regular user, I install it below $HOME!
And *please* keep security in mind if you plan to automatically fetch binary executables from internet! You at least need a secure connection to a server, hosting checksum files. Means, that you have to fetch the checksums for the binary files via HTTPS, which is, so far, impossible on merkaartor.be.
Firefox uses a https:// URL to fetch the "status file", which contains location to the update files including checksums (AFAIR sha1 checksums).
If you plan to transfer update files via insecure connection, *please* disable this by default! It has been demonstrated for Firefox, in the past, that it's really easy to do a "man in the middle" attack and simulate a update for $FIREFOXADDON to be available, where the download URL points to a malicous file. Since this, Firefox not longer allowes update information transfers via regular HTTP.
Yours Manuel Reimer _______________________________________________ Merkaartor mailing list [email protected] http://lists.openstreetmap.org/listinfo/merkaartor
