unity-design team mailing list archive

Thread
Date

Re: Farewell to the notification area

To: Mark Shuttleworth <mark@xxxxxxxxxx>
From: "Paulo J. S. Silva" <pjssilva@xxxxxxxxx>
Date: Fri, 23 Apr 2010 07:58:35 -0300
Cc: Ayatana List <ayatana@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <4BD160BD.8000807@ubuntu.com>

>
> Plus, as I pointed out several months ago, this is a HUGE security hole.
> Passwords should only be given in response to a user initiated
> operation.  Asynchronous dialogs that ask for passwords are a very bad
> precedent for a secure O/S.
>
>
> Best we get those finger-swipe gadgets working, then :-)
>

I beg to agree with Jim. Yes, it is a HUGE security hole waiting to be
used. As I pointed out in an older thread:

http://www.mail-archive.com/ayatana@xxxxxxxxxxxxxxxxxxx/msg00833.html

it is easy to spoof the update manager update dialog inside a web page
using technologies like flash that would probably look
indistinguishable to the real thing. As far as I remember most people
in the thread agreed on the possible security risk associated to the
(not so) new update manager behavior and even an interesting
discussion on allowing password-less updates from trusted repositories
was initiated.

The thread ended up in oblivion as any complains about update manager
behavior though.

best,

Paulo
-- 
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva

References

Farewell to the notification area
From: Matthew Paul Thomas, 2010-04-21
Re: Farewell to the notification area
From: Jim Rorie, 2010-04-22
Re: Farewell to the notification area
From: Matthew Paul Thomas, 2010-04-22
Re: Farewell to the notification area
From: Jim Rorie, 2010-04-22
Re: Farewell to the notification area
From: Mark Shuttleworth, 2010-04-23