Brian Cameron wrote: > > To make the security issues with the FreeSound extension more clear, I > updated section 4.7 of the Jokosher ARC materials as follows: > > 4.7 Security Impact: > > The Jokosher FreeSound extension allows users to login to > http://www.freesound.org with a username and password. On > Solaris, the extension is modified to not save the username or > password information in the user's configuration for better > security. > > Note that a FreeSound account allows users to gain access to free > sound samples and to post messages on their forum. > > Also note that the FreeSound website does not use HTTPS, so > accessing the account via the Jokosher extension should have the > same security as accessing it via a normal web browser > application. > > If anyone feels that it would be best to simply remove the FreeSound > extension from Jokosher to avoid any sort of security concerns, that > is also possible. It is a nice-to-have feature, not a critical piece > of Jokosher functionality.
That is in my opinion more than sufficient given what this really is for, and I wouldn't even have asked for that. Ideally this should be pushed upstream or a change to use gnomekeyring pushed upstream. -- Darren J Moffat
