I just found this out after reading and article about the GNOME Mobile release.  Apparently Movial joined LiMo sometime in August and have pledged to release their Browser D-Bus Bridge as open source.  Perhaps this went over the D-Bus mailing list and I missed it but I am eager to look at the code and documentation to make sure remote sandboxed code doesn’t now have a way of breaking out of its jail.  In other words I hope they have added a permissions based system much like we have for the system bus. If they have a sane system this could really be a powerful tool.

In a local world where all your applications are installed by the user, security on the session bus doesn’t have to be tight as the application will already have all the capabilities that they might gain from using the session bus. They even have more such as rm -rf ~.  However, if web pages are now able to access the bus without a failsafe security model for access rights you would be allowing remote applications access to whatever the session bus exposes.  They would be first class citizens in a very bad way.  Depending on what services are running on the bus, information could be stolen, files added and deleted as well as other exploits.  Already gVFS runs over D-Bus and hopefully in the future we will be moving from a corba based accessibility layer to a D-Bus one which means every UI element would be exposed via the bus.

That is not to say it is all doom and gloom.   Having a browser/D-Bus bridge is very important towards moving the desktop experience forward, so much so that I was considering writing one until I saw this.  Of course there is no open code or documentation yet, at least what I could find.  I do trust them to do the right thing but it would have been nice if the development was done in the open from the start.  Can someone working with LiMo point me to the source or information of when it will be released?

[read this post in: ar de es fr it ja ko pt ru zh-CN ]