On 04/12/2014 02:36 AM, Joao S. O. Bueno wrote:
Just for the record, I second all of Jehan's concerns - Although I don't think the "GIMP authenticated server" should be the only possible way to install managed plug-ins: Users should be given an option to change the plug-in server to "unofficial" ones. They just should be very clearly warned on doing so that they will be then installing any random binary. (changing the server does not have to be an easy task).
I don't think supporting unofficial servers would be very useful as long as it is still possible to install plugins manually as it is done now, since people who would know how to switch servers would definitely know how do that too... Gimp's plug-in distribution model should be closer to Mozilla's than to Apple or Android.
All in all the root problem is the initial "trustable" source. If you download Gimp from the official site it's OK (assuming you are using HTTPS to connect to it). But then most of the Linux users get their Gimp (as well as several plugins) from the distro repository, or a more recent version from an Ubuntu PPA or its equivalent for other distros. Many Window users download Partha's packages (that come with built-in plug-ins) and there are also a couple of trusted sources for OSX (including Partha's). Forum users are often warned about dodgy sources, but unfortunately they come to the forum after the download (GimpShop is obviously making many misled converts since Adobe's policy changes).
Last, for the average user out there, binary, Scheme or Python have about the same degree of readability.
_______________________________________________ gimp-developer-list mailing list List address: gimp-developer-list@xxxxxxxxx List membership: https://mail.gnome.org/mailman/listinfo/gimp-developer-list List archives: https://mail.gnome.org/archives/gimp-developer-list