| |||||||||||||
I hope it's secureI hope it's securePosted Dec 2, 2011 6:37 UTC (Fri) by Alterego (subscriber, #55989)In reply to: I hope it's secure by flammon Parent article: extensions.gnome.org launches
Is it mandatory to have https to some random gnome site to install extension ?
And privacy ? i really don't like to use web browser to do install...
How does it work for disonnected-from-the-net sites ?
(Log in to post comments)
I hope it's secure Posted Dec 2, 2011 8:13 UTC (Fri) by ovitters (subscriber, #27950) [Link]
Not mandatory to use extensions.gnome.org, you can install it manually as well.
Note that GNOME shell does not allow a random website. It only allows the site extensions.gnome.org via https. LWN already covered all the security tradeoffs before.
Regarding privacy, this is setup by the same people who made GNOME shell. So maybe we are like your phone and we already track everything. Or perhaps we can be trusted. :P But you can still install manually.
The installation is not done by the browser btw, it is handled by GNOME shell (site->plugin->shell; shell making the decision + taking action in the end).
I hope it's secure Posted Dec 2, 2011 10:37 UTC (Fri) by cortana (subscriber, #24596) [Link]
Are the downloaded data themselves signed? I don't like the idea that someone in charge of my DNS could cause their own extensions to be installed. Just requiring https is _not_ enough, as the DigiNotar debacle demonstrated...
I hope it's secure Posted Dec 2, 2011 12:21 UTC (Fri) by ovitters (subscriber, #27950) [Link]
No idea, there is a whole writeup at https://lwn.net/Articles/459786/. Installation is not automatic btw, you have to confirm it, that is handled locally. Website cannot automatically install, nor automatically update extensions.
I hope it's secure Posted Dec 2, 2011 13:01 UTC (Fri) by flammon (guest, #807) [Link]
This plugin, like any other plugin I suppose, needs to be bullet proof then. Adobe has had a heck of a time keeping their plugins secure.
http://www.adobe.com/support/security/#flashplayer
I'm sure the developers have seen The Matrix so they're familiar with what happens when a door to the Real World opens.
I hope it's secure Posted Dec 5, 2011 13:22 UTC (Mon) by hnsr (guest, #78227) [Link]
Well.. the Adobe Flash plugin can be used on any website. If I understand correctly this plugin only works for extensions.gnome.org over https. While that is still not bulletproof (considering false certificates can be issued by compromised CAs), it seems much different than the position the flash plugin is in.
Can the extensions system be disabled? Posted Dec 3, 2011 1:00 UTC (Sat) by coriordan (guest, #7544) [Link]
For people who are wary of this, is there a way to simply disable the installation and running of extensions?
(Having extensions as packages in distros would be great.)
Can the extensions system be disabled? Posted Dec 3, 2011 3:00 UTC (Sat) by ovitters (subscriber, #27950) [Link]
At least Firefox allows you to disable it. One of the first things the extension does is to check if the site is extensions.gnome.org using https btw.
Can the extensions system be disabled? Posted Dec 4, 2011 20:09 UTC (Sun) by coriordan (guest, #7544) [Link]
Installing software via my web-browser is is one worry, but maybe my bigger worry is actually in cutting the distros out of the system.
Package maintainers are the reason I trust software to do things such as playing nice with my other software, that the licence has been verified, that the uninstall option will do what it should.
In "non-distro-ised" operating systems (which are all proprietary), the lack of these things leaves systems in a mess. I hope free software doesn't migrate to non-distro-ised ways of distributing software. The ability to add a layer of verification is one of the advantages we have over proprietary software.
It would be great if the extensions could be put into the distros. They could be grouped into a number of bundles if the number is too large. At times they might be months out of date, but that's still clearly preferable in my book.
Can the extensions system be disabled? Posted Dec 5, 2011 8:47 UTC (Mon) by ovitters (subscriber, #27950) [Link]
Distributions can still package them. It is pretty much the same as Firefox. If you don't want to use this site then don't.
Can the extensions system be disabled? Posted Dec 5, 2011 13:10 UTC (Mon) by coriordan (guest, #7544) [Link]
But if the distros don't package them, then users have to either do without that functionality, or have a non-distro system with the problems I mentioned.
But that's just "if". Hopefully they will get packaged, just like Firefox extensions are packaged in Debian.
Can the extensions system be disabled? Posted Dec 5, 2011 14:48 UTC (Mon) by ovitters (subscriber, #27950) [Link]
So if you want your distro to package them, ask your distro to package them. There is not much difference between extensions.gnome.org and 'ftp.gnome.org' in that. It is provided on a site, but it is up to the distributions to package it and keep it up to date.
The difference in this case is that extensions.gnome.org provides an easy way to avoid the distro and see what has not packaged.
I get the impression you think providing a easier non-distro method is somehow a bad thing done by GNOME?
Can the extensions system be disabled? Posted Dec 5, 2011 19:56 UTC (Mon) by coriordan (guest, #7544) [Link]
"Bad" sounds malicious. I hope my comments don't sound like an attack. I'm more wondering if this direction is unwise.
If most/many users are installing stuff directly, then distros have less motivation to package and maintain that software. It seems likely that less software will go through the distro systems, and if that happens then I think free software will be undermining one of its big advantages.
By ftp, there's a power-sharing system. The GNOME devs decide the direction of the software, and the distros can exercise decisions such as when to migrate to the newest version, how it should be configured, what apps should own what mime types, etc.
The distros might seem to hold a lot of power there, but because there are many distros and they have to keep their users happy or lose them, the distros are kept in check too. The same isn't true for GNOME. There's only one set of developers I can get GNOME directly from.
With direct-install, there's no more power-sharing, no more review, no more testing to see if it plays nice with my non-GNOME software, no more need to worry about users going elsewhere etc.
(These issues would disappear if GNOME starts getting forked or if the direct-install repositories get forked, but such forks don't exist today, and we already have the distros which provide these services, so I'd rather support the distros than encourage multiple forks of GNOME.)
Could be a step in the wrong direction.
|
|||||||||||||