[packaging] Meeting next week to discuss trusted third-party repositories

Thomas Leonard talex5 at gmail.com
Thu Dec 18 16:19:33 PST 2008


2008/12/18 James Antill <james at fedoraproject.org>:
>  As a developer for a used package manager, I've tried to stay out of
> the "discussion" that is autopackage/0install/relocatable-packages
> etc. ... if people think that those things can be usefully solved even
> with all the historical evidence to the contrary then please just go do
> it, you don't need my opinion that it'll fail and why, and we'll
> presumably all be using it in 5 years instead of dpkg/rpm¹ (if you
> succeed). At which point it'll be trivial for the LSB to adopt the std.
> of what everyone is doing.
[...]
>  The fundamental problem with that idea is that you are starting out
> with "untrusted data from XYZ" and trying to find a technological
> solution to make that "trusted data from XYZ".
>  I don't think you can do that (or at least do so for usable
> applications). Flash games/video-players are about the only thing that
> comes to mind where this has been even remotely successful.

And JavaScript? There are web-sites where you can install a JavaScript
client (automatically) through your browser that will let you read
your email. Others that let you follow blogs, browse maps of the
world, or even organise your photos. JavaScript files from different
sites don't conflict with each other. They're also sandboxed so,
ignoring occasional bugs in the sandboxing, JavaScript from one site
doesn't mess up scripts from other sites, or corrupt or expose their
data.

I hear it's even possible to execute native x86 code through your browser now.

Which means, the risk to me from using a new web-site is considerably
reduced, which means I can use more sites and get more done.


-- 
Dr Thomas Leonard		ROX desktop / Zero Install
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1


More information about the packaging mailing list