I am marking this case as closed approved 06/03/2009. The only issue raised was about the way the username/password is stored by the FreeSound extension, but the security experts expressed that just modifying the code to not save the username and password information in the user's $HOME configuraiton is sufficient.
Brian John Fischer wrote: > +1 > > John > > Brian Cameron wrote: >> >> To make the security issues with the FreeSound extension more clear, I >> updated section 4.7 of the Jokosher ARC materials as follows: >> >> 4.7 Security Impact: >> >> The Jokosher FreeSound extension allows users to login to >> http://www.freesound.org with a username and password. On >> Solaris, the extension is modified to not save the username or >> password information in the user's configuration for better >> security. >> >> Note that a FreeSound account allows users to gain access to free >> sound samples and to post messages on their forum. >> >> Also note that the FreeSound website does not use HTTPS, so >> accessing the account via the Jokosher extension should have the >> same security as accessing it via a normal web browser >> application. >> >> If anyone feels that it would be best to simply remove the FreeSound >> extension from Jokosher to avoid any sort of security concerns, that >> is also possible. It is a nice-to-have feature, not a critical piece >> of Jokosher functionality. >> >> Brian >> >> >> Brian Cameron wrote: >>> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI >>> This information is Copyright 2009 Sun Microsystems >>> 1. Introduction >>> 1.1. Project/Component Working Name: >>> Jokosher >>> 1.2. Name of Document Author/Supplier: >>> Author: Brian Cameron >>> 1.3 Date of This Document: >>> 20 May, 2009 >>> 4. Technical Description >>> Template Version: @(#)sac_nextcase %I% %G% SMI >>> This information is Copyright 2008 Sun Microsystems >>> >>> 1. Introduction >>> 1.1. Project/Component Working Name: >>> >>> jokosher >>> >>> 1.2. Name of Document Author/Supplier: >>> >>> Author: Brian Cameron >>> >>> 1.3 Date of This Document: >>> >>> 12 May 2009 >>> >>> 1.4. Name of Major Document Customer(s)/Consumer(s): >>> 1.4.1. The PAC or CPT you expect to review your project: >>> >>> Solaris PAC >>> >>> 1.4.2. The ARC(s) you expect to review your project: >>> >>> LSARC >>> >>> 1.4.3. The Director/VP who is "Sponsoring" this project: >>> >>> Robert O'Dea >>> >>> 1.4.4. The name of your business unit: >>> >>> Software - OPG >>> >>> 1.5. Email Aliases: >>> 1.5.1. Responsible Manager: >>> leo.binchy at sun.com >>> >>> 1.5.2. Responsible Engineer: >>> >>> brian.cameron at sun.com >>> >>> 1.5.3 Marketing Manager: >>> >>> glynn.foster at sun.com >>> >>> 1.5.4. Interest List: >>> desktop-discuss at opensolaris.org >>> 2. Project Summary >>> 2.1. Project Description: >>> >>> jokosher is a simple, yet powerful multi-track studio written >>> in Python >>> that uses GStreamer and gnonlin. With jokosher you can >>> create and >>> record music, podcasts and more, all from an integrated simple >>> environment. It supports recording, editing (e.g. splitting, >>> trimming, >>> moving), mixing, and exporting audio. It supports all audio >>> formats >>> that are supported by GStreamer. Users can, for example, >>> purchase >>> plugins from Fluendo to enable MP3 or WindowsMedia Audio >>> support. >>> >>> jokosher uses the GPL license and contains a license >>> exception which >>> allows distribution with non-free GStreamer-plugins. >>> >>> 4. Technical Description: >>> 4.1. Details: >>> >>> Jokosher provides a multi-track interface for recording and >>> mixing >>> audio. Jokosher supports two workspace modes: the Recording >>> Workspace >>> and the Mixing Workspace. The user simply toggles between >>> the two >>> modes by clicking on the "Audio Mixers" button in the toolbar. >>> >>> When in the Recording Workspace mode, the user may create >>> multiple >>> audio tracks. The tracks may either be an existing audio >>> file which >>> the user can specify, or be an instrument. The instrument >>> setting is >>> intended to be used when the user intends to record the track >>> into >>> jokosher. Jokosher provides a set of Instrument >>> files, which simply specify a >>> label and an icon for the instrument. When a track is >>> associated with >>> an instrument then the track is shown with this label and >>> icon so that >>> the user can easily determine what instrument is associated >>> with each >>> track. >>> >>> When in the Mixing Workspace mode the user can specify the >>> volume level >>> and balance setting for each track. Once the mix is >>> specified, then >>> the user can use jokosher's "Mixdown" feature to save the >>> final audio >>> mix to a file in the desired audio format. The Mixdown >>> dialog also >>> allows the user to run user-specified scripts to do any >>> desired actions >>> once the mix is completed, such as to upload the file to a >>> server or to >>> create a playlist. >>> >>> Jokosher projects can be saved in a file format with the >>> extension >>> ".jokosher". When reloaded, the track and mixing settings >>> and all >>> preferences are restored so a user can continue working on a >>> project. >>> These files are associated with the MIME type >>> "application/x-jokosher". >>> >>> Jokosher provides extensions which allow third party >>> developers to add >>> features to Jokosher to make it support file types or support >>> additional functionality. Jokosher includes an extensions >>> manager >>> which allows users to add, remove, or configure extensions. [1] >>> >>> By default jokosher includes the following extensions: >>> >>> - A "Set Tempo" extension which allows the user to set the >>> tempo for >>> a project by clicking on a button on each beat during >>> playback. >>> - A "Minimal Mode" extension which changes the UI to a minimal >>> appearance >>> - An "Instrument Type Manager" extension which allows the >>> user to specify the label and icon for new instruments, and >>> to delete any >>> previously added instruments. >>> - A "Search FreeSound" extension which will search the FreeSound >>> library of freely licensable and usable sound clips. The >>> FreeSound >>> library can be found at http://www.freesound.org/. >>> - An "Extension Console" which provides a fully functional >>> python >>> console with access to the jokosher extension API and jokosher >>> internals. Useful for writing or debugging extension code. >>> - A "Jokosher D-Bus API" extension which allows other >>> processes to call Jokosher extension API functions via D-Bus. >>> >>> Note that, by default, the jokosher FreeSound extension saves >>> the >>> user's FreeSound username and password in plaintext in the >>> user's >>> jokosher $HOME configuration. When the plugin is used after >>> initial >>> login, the username and password values are filled in for the >>> user. >>> >>> However, on Solaris, we will patch the code so that this >>> feature is >>> disabled, and the FreeSound extension will not save the >>> username and >>> password information to the user's $HOME directory. This >>> will mean >>> the user will need to re-enter this information each time >>> they restart >>> jokosher and wish to use this plugin. >>> 4.2. Interfaces: >>> Exported Interfaces >>> Stability Comments >>> ------------------------------------------- ---------- >>> ---------------- >>> >>> /usr/bin/jokosher Volatile Jokosher >>> >>> application. >>> /usr/lib/python2.6/vendor-packages/Jokosher Volatile >>> Jokosher python >>> >>> implementation. >>> /usr/share/applications/jokosher.desktop Volatile >>> Jokosher desktop >>> file. >>> /usr/share/gnome/help/jokosher Volatile >>> Jokosher help >>> files. >>> /usr/share/jokosher Volatile Jokosher >>> >>> internal data. >>> /usr/share/jokosher/Instruments Volatile Jokosher >>> >>> instrument >>> files. >>> /usr/share/jokosher/extensions Volatile Jokosher >>> >>> extension files. >>> /usr/share/jokosher/pixmaps Project >>> Jokosher image >>> Private files. >>> /usr/share/icons/hicolor/48x48/apps/jokosher.png >>> Project Jokosher >>> Private >>> application >>> image. >>> /usr/share/pixmaps/jokosher.png Project Jokosher >>> Private >>> application >>> image. >>> /usr/share/mime/packages/jokosher.xml Volatile >>> Specifies the >>> MIME >>> type for >>> >>> jokosher files. >>> /usr/share/omf/jokosher Project >>> Jokosher OMF >>> Private files. >>> $HOME/.local/share/jokosher Volatile >>> Jokosher user >>> >>> configuration >>> >>> SUNWgnonlin Uncommitted Package. >>> SUNWjokosher Uncommitted Package. >>> >>> >>> Imported Interfaces Stability Comments >>> --------------- --------------- ----------------------- >>> GNOME Base Libraries Committed LSARC 2006/202 >>> GStreamer Volatile LSARC/2006/202 >>> GNonLin Volatile Not yet filed >>> Python External PSARC/2005/532 Python >>> Evolving Migration from >>> /usr/sfw to /usr and >>> upgrade to v2.4.x >>> gst-python Volatile LSARC 2008/105 >>> Pygtk, gnome-python Unstable LSARC 2005/506 >>> D-Bus Volatile LSARC 2006/368 >>> Python Setuptools Uncommitted PSARC 2008/084 >>> >>> 4.3. Doc Impact: >>> >>> jokosher includes Help documentation. Jokosher does not ship >>> with any >>> developer documentation, but the help files do point to the >>> Jokosher >>> developer webiste for more information about doing things >>> like writing >>> extensions. >>> >>> 4.4. Packaging & Delivery: >>> SUNWjokosher - jokosher application. >>> >>> 4.5. Dependencies: >>> >>> The ARC case for GNonLin, which is being submitted at the >>> same time >>> as this case. I will update this section and the Comments >>> value for >>> GNonLin in the Imported Interface table to include the ARC >>> number >>> when available. >>> >>> 4.6. L10N Impact: >>> >>> The Desktop team and the G11N are working together to >>> evaluate and >>> provide I18N/L10N support. >>> >>> 4.7 Security Impact: >>> >>> None. >>> 5. Reference Documents: >>> >>> [1] Jokosher Extensions Documentation >>> http://userdocs.jokosher.org/Extensions/ >>> >>> Jokosher Website and User Documentation: >>> http://www.jokosher.org/ >>> http://userdocs.jokosher.org/ >>> >>> 6. Resources and Schedule >>> 6.4. Steering Committee requested information >>> 6.4.1. Consolidation C-team Name: >>> Desktop >>> 6.5. ARC review type: FastTrack >>> 6.6. ARC Exposure: open >>> >>> >>> 6. Resources and Schedule >>> 6.4. Steering Committee requested information >>> 6.4.1. Consolidation C-team Name: >>> Desktop >>> 6.5. ARC review type: FastTrack >>> 6.6. ARC Exposure: open >>> >>> _______________________________________________ >>> opensolaris-arc mailing list >>> opensolaris-arc at opensolaris.org >>
