On 06/14/2017 03:46 PM, Marc-André Lureau wrote: > Hi Jeremy > > ----- Original Message ----- >> On 06/14/2017 02:55 PM, marcandre.lureau@xxxxxxxxxx wrote: >>> From: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx> >>> >>> The spice-controller was a small library to let NPAPI browser plugins >>> communicate with the spice client. Due to usage of vala, the library >>> could not promise ABI stability, and was also considerer a pretty >>> poor implementation. >>> >>> Furthermore, major browser vendors began to phase out NPAPI support in >>> 2013, and some would like to see it gone by the end of this >>> year (realistically, it may not happen though). >>> >>> As an alternative, remote-viewer (the first class Spice client) >>> learned to connect with a file of mime type application/x-virt-viewer, >>> as early as February 2013 with v0.5.5. >>> >>> RFC as we may want to have another release with the controller, and >>> announce it's the last one that will ship it - remote-viewer should >>> follow with a similar announcement. >> >> The spice controller also provides the ability for an application to >> securely pass a username and password in via the controller socket. > > The password should be a one time / short lived token when used with .vv file. > And if it is sent over a network it should be sent over a secured mean (https for ex) > >> The use of a file would have potential risk vectors. Is there an option >> to provide that facility? > > I don't see much alternative. Do you a other proposal? > I think my use case simply requires the ability to pass the pass word in a way that cannot be intercepted by any kind of hook; whether it be wireshark, or an inotify hook. A unix domain socket that can receive the password would suffice, I believe. Cheers, Jeremy _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel