On Mon, Sep 21, 2009 at 07:01:13PM -0400, Bernie Innocenti wrote: > El Mon, 21-09-2009 a las 23:47 +0100, Martin Dengler escribió: > > The whole point of Rainbow is that what I think you're talking about > > isn't an issue, and it's encouraged that kids share Activities. > > Eliminating this sharing ability is one of the problems with the > > current rpm / PackageKit proposals AIUI. > > Currently, Rainbow is a much weaker protection than, say, the Javascript > sandbox of a browser. And, realistically, it will never get close to be > that good.
Well I'll leave that to the real experts. > Besides, the way you *install* a program does not affect the way you > *run* it. > > I could install the same malicious program by unpacking a zip file > or an rpm (which is a cpio archive with a header). I believe the statement I was replying to can be summarised by "let's think about the usage of rpm so as not to open ourselves up to malware", and so Rainbow is in scope. Admittedly, I was reading into that vague statment. If you are just concerned with the message to which the message I replied to was replying, which was about %post scripts, sure. > What could be achieved with the .xo bundles that couldn't be achieved > with an rpm? Given both involve Turing-complete languages, nothing. Given that one works now and one involves lots of work, everything. Rhetorically, point taken. Practically, nothing's changed. Actually, I take that back. You're now talking about tieing Sugar activities to rpm, which is a whole set of code / practices, instead of the current XO format, right? So what was a downstream choice (how to package activities) now becomes fixed? Or are you proposing Fructose is distributed in a distro-specific way, and just non-Fructose Activities as rpms? Martin
pgpkuNSgC6zTc.pgp
Description: PGP signature
_______________________________________________ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
