[Spice-devel] [PATCH spice-gtk] RFC: build-sys: remove the spice-controller library

Jeremy White jwhite at codeweavers.com
Mon Jun 19 18:51:42 UTC 2017


On 06/14/2017 03:46 PM, Marc-André Lureau wrote:
> Hi Jeremy
> 
> ----- Original Message -----
>> On 06/14/2017 02:55 PM, marcandre.lureau at redhat.com wrote:
>>> From: Marc-André Lureau <marcandre.lureau at redhat.com>
>>>
>>> The spice-controller was a small library to let NPAPI browser plugins
>>> communicate with the spice client. Due to usage of vala, the library
>>> could not promise ABI stability, and was also considerer a pretty
>>> poor implementation.
>>>
>>> Furthermore, major browser vendors began to phase out NPAPI support in
>>> 2013, and some would like to see it gone by the end of this
>>> year (realistically, it may not happen though).
>>>
>>> As an alternative, remote-viewer (the first class Spice client)
>>> learned to connect with a file of mime type application/x-virt-viewer,
>>> as early as February 2013 with v0.5.5.
>>>
>>> RFC as we may want to have another release with the controller, and
>>> announce it's the last one that will ship it - remote-viewer should
>>> follow with a similar announcement.
>>
>> The spice controller also provides the ability for an application to
>> securely pass a username and password in via the controller socket.
> 
> The password should be a one time / short lived token when used with .vv file.
> And if it is sent over a network it should be sent over a secured mean (https for ex)
> 
>> The use of a file would have potential risk vectors.  Is there an option
>> to provide that facility?
> 
> I don't see much alternative. Do you a other proposal?
> 

I think my use case simply requires the ability to pass the pass word in
a way that cannot be intercepted by any kind of hook; whether it be
wireshark, or an inotify hook.  A unix domain socket that can receive
the password would suffice, I believe.

Cheers,

Jeremy


More information about the Spice-devel mailing list