[Merkaartor] Auto-updating merkaartoLinux/OSX sysadmin input requested

[Manuel Reimer]

Chris Browet wrote:
> I guess an hybrid solution would work, if merkaartor is split into multiple
> components using the Qt plugin system:
> - Have releases as it is now
> - Make merkaartor checks for updated components online, download them in the
> homedir, and make merkaartor use those ones instead of the packaged ones if
> their versions is greater.

I don't know if it's really a good idea on Linux to forcefully bypass 
the package manager! If I want to keep a software up-to-date as regular 
user, I install it below $HOME!

And *please* keep security in mind if you plan to automatically fetch 
binary executables from internet! You at least need a secure connection 
to a server, hosting checksum files. Means, that you have to fetch the 
checksums for the binary files via HTTPS, which is, so far, impossible 
on merkaartor.be.

Firefox uses a https:// URL to fetch the "status file", which contains 
location to the update files including checksums (AFAIR sha1 checksums).

If you plan to transfer update files via insecure connection, *please* 
disable this by default! It has been demonstrated for Firefox, in the 
past, that it's really easy to do a "man in the middle" attack and 
simulate a update for $FIREFOXADDON to be available, where the download 
URL points to a malicous file. Since this, Firefox not longer allowes 
update information transfers via regular HTTP.

Yours

Manuel Reimer