[Merkaartor] Auto-updating merkaartoLinux/OSX sysadmin input requested
Manuel Reimer
Manuel.Spam at nurfuerspam.de
Wed Sep 29 18:09:08 BST 2010
Chris Browet wrote:
> I guess an hybrid solution would work, if merkaartor is split into multiple
> components using the Qt plugin system:
> - Have releases as it is now
> - Make merkaartor checks for updated components online, download them in the
> homedir, and make merkaartor use those ones instead of the packaged ones if
> their versions is greater.
I don't know if it's really a good idea on Linux to forcefully bypass
the package manager! If I want to keep a software up-to-date as regular
user, I install it below $HOME!
And *please* keep security in mind if you plan to automatically fetch
binary executables from internet! You at least need a secure connection
to a server, hosting checksum files. Means, that you have to fetch the
checksums for the binary files via HTTPS, which is, so far, impossible
on merkaartor.be.
Firefox uses a https:// URL to fetch the "status file", which contains
location to the update files including checksums (AFAIR sha1 checksums).
If you plan to transfer update files via insecure connection, *please*
disable this by default! It has been demonstrated for Firefox, in the
past, that it's really easy to do a "man in the middle" attack and
simulate a update for $FIREFOXADDON to be available, where the download
URL points to a malicous file. Since this, Firefox not longer allowes
update information transfers via regular HTTP.
Yours
Manuel Reimer
More information about the Merkaartor
mailing list