PackageKit Misconceptions

[Havoc Pennington]

On 8/22/07, Jeff Spaleta <jspaleta at gmail.com> wrote:
> On 8/22/07, Owen Taylor <otaylor at redhat.com> wrote:
> >  A) The information displayed to the user has been audited to be accurate
>
> You have a proposal on  how to do this? I have grave concerns about
> being legally allowed to do this in a centralize way as part of the
> Fedora project.
>

The larger point about gpg import questions is really unchanged if
there's no way to do a central authority. If we can't do a central
authority, that just means you have to ask about "import GPG blah
blah" and not "do you trust the Fedora Project?", and "import GPG blah
blah" is NOT good enough / useful / a solution _at all_. The point is
_not_ that a question about "import GPG" is suboptimal; the point is
that it's useless and probably even actively harmful. At least that
would be _my_ point, if it wasn't someone else's. ;-)

Dialogs just are not security. If your software design is insecure if
you don't ask, then your system is also insecure if you do ask,
because as an empirical matter some huge percentage of people -
including very tech-savvy people - will always click yes as a habit.

Dialogs are for programmers to cover their own ass and blame the user.
They do not do much at all to actually stop whether people become
victims of security exploits, _in practice_.

A dialog that's human readable (says "Fedora Project" not "GPG blah
blah") _might_ be useful for a few more people than one with the GPG
stuff, the non-human-readable one is useful for essentially nobody.
But fundamentally it's still pretty weak security.

A secure design either forbids unsigned stuff in a strong,
almost-impossible-to-override way; or is secure despite unsigned
stuff.

Which in practice afaik means either a central signing authority (or
at least some kind of web of trust or definition of which keys you
trust), or you sandbox whatever is downloaded.

No secure solution I've ever seen involves dialogs as a critical element.

Havoc