PackageKit Misconceptions

Colin Walters walters at redhat.com
Wed Aug 22 17:55:19 UTC 2007 

On 8/22/07, Jesse Keating <jkeating at redhat.com> wrote:
>
>
> There aren't requirements, however given that our software is mirrored
> around the world and our tools are made easy to make your own Fedora,
> it's possible that somebody could start handing out spoofed Fedoras.
> If the key you're asking to import says it's Fedora, but the public key
> servers don't match this key, that's a very quick indication that you
> should stop using the system as it's been compromised in some way.


Jean is a physics researcher at CERN.  He installed Fedora on his
workstation because he's developing some parallel computation software
related to his hypothesis using MPI, and he likes Linux as a development
environment.  He is helping to discover the fundamental properties of the
universe.

Jean is smarter than anyone posting in this thread.

People keep making the assumption that reducing questions is designing for
"dumb" users.  In fact, we're designing for users who have *more important
things to do*.

We should make sure we're not stopping Jean in the middle of his work with a
question like "Do you trust this hex number?".  It's not that he couldn't
answer it, but we certainly don't make it easy to do so "correctly" (which I
guess is browsing to pgp.mit.edu and manually entering the hex number and
making some sort of wild guess based on other signatures).

The obvious default policy to me is:

* Fedora trusts the GPG keys it ships
* All other keys are denied

The scenario where this does break down is installing software from other
sites like livna.  If we have some sort of hoop there in the process that's
probably fine.  Maybe you have to "sudo rpm -ivh http://livna.org/gpg.asc",
or click some dialog.  Firefox makes users installing extensions wait 3
seconds.

What I would do is be very realistic though - 99.99% of people are just
going to click "OK" to random dialogs popping up, and there is nothing we
can do to change that.

Also it's easy enough to install some piece of software off the net
> that drops a yum repo file in place and starts handing you packages
> from another repo.


If you installed an RPM from an untrusted source, you have already lost.  It
can execute arbitrary code in %post, or overwrite /lib/libc.so, the
possibilities are endless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-desktop-list/attachments/20070822/2035f29b/attachment.htm>

More information about the Fedora-desktop-list mailing list