> > Plus, as I pointed out several months ago, this is a HUGE security hole. > Passwords should only be given in response to a user initiated > operation. Asynchronous dialogs that ask for passwords are a very bad > precedent for a secure O/S. > > > Best we get those finger-swipe gadgets working, then :-) >
I beg to agree with Jim. Yes, it is a HUGE security hole waiting to be used. As I pointed out in an older thread: http://www.mail-archive.com/ayatana@lists.launchpad.net/msg00833.html it is easy to spoof the update manager update dialog inside a web page using technologies like flash that would probably look indistinguishable to the real thing. As far as I remember most people in the thread agreed on the possible security risk associated to the (not so) new update manager behavior and even an interesting discussion on allowing password-less updates from trusted repositories was initiated. The thread ended up in oblivion as any complains about update manager behavior though. best, Paulo -- Paulo José da Silva e Silva Professor Associado, Dep. de Ciência da Computação (Associate Professor, Computer Science Dept.) Universidade de São Paulo - Brazil e-mail: pjssi...@ime.usp.br Web: http://www.ime.usp.br/~pjssilva _______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
