Re: spatial stuff detail



On Sun, Sep 21, 2003 at 04:30:48PM +0100, Mike Hearn wrote:
> > Installing new programs is one of the least new-user-friendly aspects 
> > of Linux right now, and application-as-directory packing would make 
> > this problem disappear.
> 
> See http://autopackage.org/faq.html, about 3/4 of the way down, the
> question entitled "What's wrong with NeXT style appfolders?"

Not anything really related to appfolders, but to autopackage.  Reading
the above webpage I have one comment:

To install you run the script, that completely kills any 'signing' that you
can do to a package.  The user already executed code before they could check
signatures.  So there is a chicken and egg problem here.

So to avoid "linux virii" spreading desguised as packages I would recommend
requiring download of the autopackage tools instead of running the package.
If the concept of such a packaging scheme really takes off then it should be
easy to get different distros to package the autopackage tools.

Obviously appfolders also have this "easy virii" effect.  You can't quite
easily do signing if you don't have an installer.  If you have an installer,
what is the point of appfolders.

I don't think the signing scheme needs to be centralized.  The installer can
let the user check a website for the signing key automagically somehow.  And
the user could maintain a list of keys they trust.  So 'vendor-a' can have
the key at 'vendor-a.com'.  The installer would say to the user that the
package is signed with an unknown key from vendor-a and would allow the user
to go to the website, somehow verify that the website is the correct one
(tell the user to check the spelling of the domain name) and let the user
accept this key, perhaps for future sessions as well.  So once I trust
vendor-a.com is my vendor, then I can easily install all packages.

I think for this to be used, signing and checking of signatures must be more
then an optional afterthought.  The tools should really give nefarious
warnings about unsigned packages.  We really don't want to get into the
whackiness that is the outlook executable virii world of windows today.

Security should really be far more then just an afterthought, but a first
class design goal of any packaging system.  RPM fails at this as well as
checking signatures is harder then just installing.  It should ideally be the
other way around.  Not using signatures should be harder.  That's why I don't
use them and don't know how to use them ... lazyness and the complexity of
using them.  Unless it's done automagically for me, I won't use them.  And
same can be likely said of majority of users.  To avoid such "virii" we must
however get the majority of users using some scheme like that.

George

-- 
George <jirka 5z com>
   Men willingly believe what they wish.
                       -- Julius Caesar



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]