[Sugar-devel] [sugar] [Proposal] .xot bundles, for translations

Sayamindu Dasgupta sayamindu at gmail.com
Mon Dec 8 11:38:49 EST 2008


On Mon, Dec 8, 2008 at 9:31 PM, Martin Langhoff
<martin.langhoff at gmail.com> wrote:
> On Mon, Dec 8, 2008 at 1:50 PM, Sayamindu Dasgupta <sayamindu at gmail.com> wrote:
>> Does that work ?
>
> How do we trust that the setup.py is not malicious? Part of what I am
> suggesting when I talk about rpm files that have no %post/%pre etc
> (and therefore can be installed with --no-scripts) is that we can
> reasonably trust that the contents are not maliciously active. (Note
> that this needs a few additional checks to be effective.)
>
> If we say that we'll auto-execute a setup.py we have
>
>  - less security
>  - no versioning
>  - no tracking of what file belongs to what pkg
>

Ermm.. I'm not proposing that we run ./setup.py in the XO. Think of
setup.py as a Makefile, which can generate ,xot bundles, which can
then be installed on a XO. Same as the current mechanisms used by the
activities. No code gets run in the XO itself.
Thanks,
Sayamindu




-- 
Sayamindu Dasgupta
[http://sayamindu.randomink.org/ramblings]


More information about the Sugar-devel mailing list