Re: [widgets] Automatic updates attempt 2

On 2008-05-28 11:25:03 +0200, Arve Bersvendsen wrote:

> 1. In the case that any security-related settings for the widget
> changes, they can be reviewed automatically, or optionally
> manually by the user, and download of an updated resource can be
> prevented if the updated version is not acceptable.  This is
> particularily important on slow connections, since some widgets
> run into the megabyte range 

This goes back full-circle to the question whether the
metainformation (including signature and capabilities) should be
within the zip archive, or in a separate outside file.  

My gut feeling is that the update descriptor is going to end up
looking *very* similar to the manifest, in the end of the day.

I'm ultimately indifferent as to whether that description file
should be inside or outside the widget; I'd just prefer us to avoid
duplication of information there.

> 2. It is possible to sign the update XML document, and verify the
> file prior to downloading. An example here would be if a signed
> update document pointed to an alternate download mechanism, such
> as a torrent or other P2P technology, the document could itself
> be signed, and contain checksums for the actual file.

You mean hash, not checksum.  (They tend to have different
properties.)

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 28 May 2008 09:49:53 UTC