Re: [widgets] Automatic updates attempt 2

On Wed, May 28, 2008 at 7:25 PM, Arve Bersvendsen <> wrote:
> On Wed, 28 May 2008 11:10:56 +0200, Thomas Roessler <> wrote:
>>> 2. Point to an XML file written in our custom XML format (described
>>> below).
>> I'd drop that.
> While more complicated, it buys a number of freedoms:
> 1. In the case that any security-related settings for the widget changes,
> they can be reviewed automatically, or optionally manually by the user, and
> download of an updated resource can be prevented if the updated version is
> not acceptable.  This is particularily important on slow connections, since
> some widgets run into the megabyte range
> 2. It is possible to sign the update XML document, and verify the file prior
> to downloading. An example here would be if a signed update document pointed
> to an alternate download mechanism, such as a torrent or other P2P
> technology, the document could itself be signed, and contain checksums for
> the actual file.

True. Just send the update file over HTTPS.

Marcos Caceres

Received on Wednesday, 28 May 2008 09:28:20 UTC