Re: New method to load user bundles

[Richard Frith-Macdonald]

I've been quietly observing this thread, and it seems to me that the 
concern about the security of loading bundles is a valid point, and the 
answer that any bundles have been installed by the user is only 
partially valid.

1. The user doesn't know what bundles they have installed as part of 
third party apps.
2. The user may pick up bundles installed by another user on their 
machine.

 On the other hand, simply disabling bundle loading is not an 
acceptable solution.

IMO what we would ideally have is -

First, some mechanism to tell whether a bundle might have been provided 
or tampered with by another user.
So for bundles in the user domain, we should probably check that the 
bundle is owned by the user and that it,
(and its parent directories) are not modifiable by any other user.
For bundles in other areas, we should perform a similar check, but 
accept bundles owned by root.

Secondly, we might want to provide facility to keep track of changes to 
bundles (eg store the bundle location and
an md5 digest of it in the defaults system) and provide a callback 
facility (with a standard panel built into the gui)
to alert the user about changes to bundles that are about to be loaded, 
and let them accept/refuse the load.