- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 28 May 2008 11:49:10 +0200
- To: Arve Bersvendsen <arveb@opera.com>
- Cc: Marcos Caceres <marcosscaceres@gmail.com>, "WAF WG (public)" <public-appformats@w3.org>
On 2008-05-28 11:25:03 +0200, Arve Bersvendsen wrote: > 1. In the case that any security-related settings for the widget > changes, they can be reviewed automatically, or optionally > manually by the user, and download of an updated resource can be > prevented if the updated version is not acceptable. This is > particularily important on slow connections, since some widgets > run into the megabyte range This goes back full-circle to the question whether the metainformation (including signature and capabilities) should be within the zip archive, or in a separate outside file. My gut feeling is that the update descriptor is going to end up looking *very* similar to the manifest, in the end of the day. I'm ultimately indifferent as to whether that description file should be inside or outside the widget; I'd just prefer us to avoid duplication of information there. > 2. It is possible to sign the update XML document, and verify the > file prior to downloading. An example here would be if a signed > update document pointed to an alternate download mechanism, such > as a torrent or other P2P technology, the document could itself > be signed, and contain checksums for the actual file. You mean hash, not checksum. (They tend to have different properties.) Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 28 May 2008 09:49:53 UTC