To make the security issues with the FreeSound extension more clear, I
updated section 4.7 of the Jokosher ARC materials as follows:
4.7 Security Impact:
The Jokosher FreeSound extension allows users to login to
http://www.freesound.org with a username and password. On
Solaris, the extension is modified to not save the username or
password information in the user's configuration for better
security.
Note that a FreeSound account allows users to gain access to free
sound samples and to post messages on their forum.
Also note that the FreeSound website does not use HTTPS, so
accessing the account via the Jokosher extension should have the
same security as accessing it via a normal web browser
application.
If anyone feels that it would be best to simply remove the FreeSound
extension from Jokosher to avoid any sort of security concerns, that
is also possible. It is a nice-to-have feature, not a critical piece
of Jokosher functionality.
Brian
Brian Cameron wrote:
> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> This information is Copyright 2009 Sun Microsystems
> 1. Introduction
> 1.1. Project/Component Working Name:
> Jokosher
> 1.2. Name of Document Author/Supplier:
> Author: Brian Cameron
> 1.3 Date of This Document:
> 20 May, 2009
> 4. Technical Description
> Template Version: @(#)sac_nextcase %I% %G% SMI
> This information is Copyright 2008 Sun Microsystems
>
> 1. Introduction
> 1.1. Project/Component Working Name:
>
> jokosher
>
> 1.2. Name of Document Author/Supplier:
>
> Author: Brian Cameron
>
> 1.3 Date of This Document:
>
> 12 May 2009
>
> 1.4. Name of Major Document Customer(s)/Consumer(s):
> 1.4.1. The PAC or CPT you expect to review your project:
>
> Solaris PAC
>
> 1.4.2. The ARC(s) you expect to review your project:
>
> LSARC
>
> 1.4.3. The Director/VP who is "Sponsoring" this project:
>
> Robert O'Dea
>
> 1.4.4. The name of your business unit:
>
> Software - OPG
>
> 1.5. Email Aliases:
> 1.5.1. Responsible Manager:
>
> leo.binchy at sun.com
>
> 1.5.2. Responsible Engineer:
>
> brian.cameron at sun.com
>
> 1.5.3 Marketing Manager:
>
> glynn.foster at sun.com
>
> 1.5.4. Interest List:
>
> desktop-discuss at opensolaris.org
>
> 2. Project Summary
> 2.1. Project Description:
>
> jokosher is a simple, yet powerful multi-track studio written in
> Python
> that uses GStreamer and gnonlin. With jokosher you can create and
> record music, podcasts and more, all from an integrated simple
> environment. It supports recording, editing (e.g. splitting,
> trimming,
> moving), mixing, and exporting audio. It supports all audio formats
> that are supported by GStreamer. Users can, for example, purchase
> plugins from Fluendo to enable MP3 or WindowsMedia Audio support.
>
> jokosher uses the GPL license and contains a license exception which
> allows distribution with non-free GStreamer-plugins.
>
> 4. Technical Description:
> 4.1. Details:
>
> Jokosher provides a multi-track interface for recording and mixing
> audio. Jokosher supports two workspace modes: the Recording Workspace
> and the Mixing Workspace. The user simply toggles between the two
> modes by clicking on the "Audio Mixers" button in the toolbar.
>
> When in the Recording Workspace mode, the user may create multiple
> audio tracks. The tracks may either be an existing audio file which
> the user can specify, or be an instrument. The instrument setting is
> intended to be used when the user intends to record the track into
> jokosher.
>
> Jokosher provides a set of Instrument files, which simply specify a
> label and an icon for the instrument. When a track is associated with
> an instrument then the track is shown with this label and icon so that
> the user can easily determine what instrument is associated with each
> track.
>
> When in the Mixing Workspace mode the user can specify the volume
> level
> and balance setting for each track. Once the mix is specified, then
> the user can use jokosher's "Mixdown" feature to save the final audio
> mix to a file in the desired audio format. The Mixdown dialog also
> allows the user to run user-specified scripts to do any desired
> actions
> once the mix is completed, such as to upload the file to a server or
> to
> create a playlist.
>
> Jokosher projects can be saved in a file format with the extension
> ".jokosher". When reloaded, the track and mixing settings and all
> preferences are restored so a user can continue working on a project.
> These files are associated with the MIME type
> "application/x-jokosher".
>
> Jokosher provides extensions which allow third party developers to add
> features to Jokosher to make it support file types or support
> additional functionality. Jokosher includes an extensions manager
> which allows users to add, remove, or configure extensions. [1]
>
> By default jokosher includes the following extensions:
>
> - A "Set Tempo" extension which allows the user to set the tempo for
> a project by clicking on a button on each beat during playback.
> - A "Minimal Mode" extension which changes the UI to a minimal
> appearance
> - An "Instrument Type Manager" extension which allows the user to
> specify the label and icon for new instruments, and to delete any
> previously added instruments.
> - A "Search FreeSound" extension which will search the FreeSound
> library of freely licensable and usable sound clips. The FreeSound
> library can be found at http://www.freesound.org/.
> - An "Extension Console" which provides a fully functional python
> console with access to the jokosher extension API and jokosher
> internals. Useful for writing or debugging extension code.
> - A "Jokosher D-Bus API" extension which allows other processes to
> call Jokosher extension API functions via D-Bus.
>
> Note that, by default, the jokosher FreeSound extension saves the
> user's FreeSound username and password in plaintext in the user's
> jokosher $HOME configuration. When the plugin is used after initial
> login, the username and password values are filled in for the user.
>
> However, on Solaris, we will patch the code so that this feature is
> disabled, and the FreeSound extension will not save the username and
> password information to the user's $HOME directory. This will mean
> the user will need to re-enter this information each time they restart
> jokosher and wish to use this plugin.
>
> 4.2. Interfaces:
>
> Exported Interfaces Stability Comments
> ------------------------------------------- ----------
> ----------------
>
> /usr/bin/jokosher Volatile Jokosher
> application.
> /usr/lib/python2.6/vendor-packages/Jokosher Volatile Jokosher
> python
>
> implementation.
> /usr/share/applications/jokosher.desktop Volatile Jokosher
> desktop
> file.
> /usr/share/gnome/help/jokosher Volatile Jokosher help
> files.
> /usr/share/jokosher Volatile Jokosher
> internal data.
> /usr/share/jokosher/Instruments Volatile Jokosher
> instrument
> files.
> /usr/share/jokosher/extensions Volatile Jokosher
> extension
> files.
> /usr/share/jokosher/pixmaps Project Jokosher image
> Private files.
> /usr/share/icons/hicolor/48x48/apps/jokosher.png
> Project Jokosher
> Private application
> image.
> /usr/share/pixmaps/jokosher.png Project Jokosher
> Private application
> image.
> /usr/share/mime/packages/jokosher.xml Volatile Specifies the
> MIME type for
> jokosher
> files.
> /usr/share/omf/jokosher Project Jokosher OMF
> Private files.
> $HOME/.local/share/jokosher Volatile Jokosher user
> configuration
>
> SUNWgnonlin Uncommitted Package.
> SUNWjokosher Uncommitted Package.
>
>
> Imported Interfaces Stability Comments
> --------------- --------------- -----------------------
> GNOME Base Libraries Committed LSARC 2006/202
> GStreamer Volatile LSARC/2006/202
> GNonLin Volatile Not yet filed
> Python External PSARC/2005/532 Python
> Evolving Migration from /usr/sfw
> to /usr and upgrade to v2.4.x
> gst-python Volatile LSARC 2008/105
> Pygtk, gnome-python Unstable LSARC 2005/506
> D-Bus Volatile LSARC 2006/368
> Python Setuptools Uncommitted PSARC 2008/084
>
> 4.3. Doc Impact:
>
> jokosher includes Help documentation. Jokosher does not ship with any
> developer documentation, but the help files do point to the Jokosher
> developer webiste for more information about doing things like writing
> extensions.
>
> 4.4. Packaging & Delivery:
>
> SUNWjokosher - jokosher application.
>
> 4.5. Dependencies:
>
> The ARC case for GNonLin, which is being submitted at the same time
> as this case. I will update this section and the Comments value for
> GNonLin in the Imported Interface table to include the ARC number
> when available.
>
> 4.6. L10N Impact:
>
> The Desktop team and the G11N are working together to evaluate and
> provide I18N/L10N support.
>
> 4.7 Security Impact:
>
> None.
>
> 5. Reference Documents:
>
> [1] Jokosher Extensions Documentation
> http://userdocs.jokosher.org/Extensions/
>
> Jokosher Website and User Documentation:
> http://www.jokosher.org/
> http://userdocs.jokosher.org/
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> Desktop
> 6.5. ARC review type: FastTrack
> 6.6. ARC Exposure: open
>
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> Desktop
> 6.5. ARC review type: FastTrack
> 6.6. ARC Exposure: open
>
> _______________________________________________
> opensolaris-arc mailing list
> opensolaris-arc at opensolaris.org
