[Merkaartor] Auto-updating merkaartoLinux/OSX sysadmin input requested
Petr Morávek
xificurk at gmail.com
Sat Oct 2 09:16:03 BST 2010
I don't like this either. Here on gentoo I have no problem keeping
merkaartor up to date either as live snapshot of repository or latest
stable version. Please, do not try to solve a slow process of package
teams by bypassing them completely. I think this would ultimately do
more harm than good. Instead of this 'hack' it would be better to try
to find some reinforcements to the package maintainers in mainstream
distros.
Petr
2010/9/29, Manuel Reimer <Manuel.Spam at nurfuerspam.de>:
> Chris Browet wrote:
>> I guess an hybrid solution would work, if merkaartor is split into
>> multiple
>> components using the Qt plugin system:
>> - Have releases as it is now
>> - Make merkaartor checks for updated components online, download them in
>> the
>> homedir, and make merkaartor use those ones instead of the packaged ones
>> if
>> their versions is greater.
>
> I don't know if it's really a good idea on Linux to forcefully bypass
> the package manager! If I want to keep a software up-to-date as regular
> user, I install it below $HOME!
>
> And *please* keep security in mind if you plan to automatically fetch
> binary executables from internet! You at least need a secure connection
> to a server, hosting checksum files. Means, that you have to fetch the
> checksums for the binary files via HTTPS, which is, so far, impossible
> on merkaartor.be.
>
> Firefox uses a https:// URL to fetch the "status file", which contains
> location to the update files including checksums (AFAIR sha1 checksums).
>
> If you plan to transfer update files via insecure connection, *please*
> disable this by default! It has been demonstrated for Firefox, in the
> past, that it's really easy to do a "man in the middle" attack and
> simulate a update for $FIREFOXADDON to be available, where the download
> URL points to a malicous file. Since this, Firefox not longer allowes
> update information transfers via regular HTTP.
>
> Yours
>
> Manuel Reimer
>
>
> _______________________________________________
> Merkaartor mailing list
> Merkaartor at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/merkaartor
>
--
Odesláno z mobilního zařízení
More information about the Merkaartor
mailing list