Mailinglist Archive: opensuse-softwaremgmt (33 mails)
| < Previous | Next > |
Re: [softwaremgmt] Software Portal
- From: Christian Boltz <opensuse@xxxxxxxxx>
- Date: Thu, 11 Nov 2010 21:49:52 +0100
- Message-id: <201011112149.53052@xxxxxxxxxxxxxxx>
Hello,
Am Montag, 8. November 2010 schrieb Henne Vogelsang:
There was some discussion about this at the openSUSE conference in the
zypp BoF. The results in short:
- inherit trust: if a repo key is signed by a known key, display a "less
dangerous looking" dialog or (config option or "never ask again"
checkbox) no warning at all.
Most prominent example: build service keys that are signed by the
build service master key
- for detail view: if a key is signed by other keys, display them.
That gives at least the chance that someone verifies the key chain.
Again build service repos are the best example.
- IIRC nobody in the BoF said he verifies the fingerprint *)
- there were more topics in the BoF, but not related to this question
The following is my personal opinion:
*) my guess: because it isn't easy enough.
Having the key chain visible ("This key is signed by a key you already
trust") would bring more security than just displaying a fingerprint
nobody checks (you would need to download the key from the repo, verify
its fingerprint, check who signed it, ....)
The dialog should look more "dangerous" if a key is not signed by any
key in the current keyring.
The "never ask again" checkbox is a good idea for keys that are signed
by an already known key (read: buildservice) - even if I'd never tick
that box.
For totally unknown keys, I'd recommend _not_ to offer such a checkbox.
As a typical user, I'd expect a different meaning:
Install == Trust this signature (there's no point in installing a
package when you don't trust it)
Never ask me again == Trust _all_ signatures (IMHO: as long as their key
is signed with a already trusted key - see key chain above)
Yes, I know that this would mean less security, but hey, I'm just
wearing my "typical user" hat in this case ;-) and I also don't say it
should be implemented this way. I'm just warning you what bugreports to
expect: "Every time I add a repo, I'm asked again! But I ticked the
'never ask again' box!!!!!1!!111!!!!!!" ;-)
Maybe the "never ask again" should have a more meaningful title like
"never ask again for this signature" or "permanently trust this
signature".
Or we simply rework the existing way that asks about the key instead of
the package - rename the "import" button to "trust permanently".
Now choose your favorite way ;-)
Regards,
Christian Boltz
--
ist alles OK, David... Ganz ruhig... :-)
[> Arne Dieckmann und Thomas Hertweck in suse-linux]
--
To unsubscribe, e-mail: opensuse-softwaremgmt+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-softwaremgmt+help@xxxxxxxxxxxx
Am Montag, 8. November 2010 schrieb Henne Vogelsang:
This signature part is not necessarily true. Users have to take care
of a simple choice:
---------------------------------------------------------------------
This package comes from an untrusted source and might harm your
system!
[Install] [Cancel]
[ ] Details [ ] Never ask me again
--------------------------------------------------------------------
There was some discussion about this at the openSUSE conference in the
zypp BoF. The results in short:
- inherit trust: if a repo key is signed by a known key, display a "less
dangerous looking" dialog or (config option or "never ask again"
checkbox) no warning at all.
Most prominent example: build service keys that are signed by the
build service master key
- for detail view: if a key is signed by other keys, display them.
That gives at least the chance that someone verifies the key chain.
Again build service repos are the best example.
- IIRC nobody in the BoF said he verifies the fingerprint *)
- there were more topics in the BoF, but not related to this question
The following is my personal opinion:
*) my guess: because it isn't easy enough.
Having the key chain visible ("This key is signed by a key you already
trust") would bring more security than just displaying a fingerprint
nobody checks (you would need to download the key from the repo, verify
its fingerprint, check who signed it, ....)
The dialog should look more "dangerous" if a key is not signed by any
key in the current keyring.
The "never ask again" checkbox is a good idea for keys that are signed
by an already known key (read: buildservice) - even if I'd never tick
that box.
For totally unknown keys, I'd recommend _not_ to offer such a checkbox.
Install == Ignore signature
Cancel = Cancel
Detail == Show details about the signature
Never ask me again == Trust Signature
As a typical user, I'd expect a different meaning:
Install == Trust this signature (there's no point in installing a
package when you don't trust it)
Never ask me again == Trust _all_ signatures (IMHO: as long as their key
is signed with a already trusted key - see key chain above)
Yes, I know that this would mean less security, but hey, I'm just
wearing my "typical user" hat in this case ;-) and I also don't say it
should be implemented this way. I'm just warning you what bugreports to
expect: "Every time I add a repo, I'm asked again! But I ticked the
'never ask again' box!!!!!1!!111!!!!!!" ;-)
Maybe the "never ask again" should have a more meaningful title like
"never ask again for this signature" or "permanently trust this
signature".
Or we simply rework the existing way that asks about the key instead of
the package - rename the "import" button to "trust permanently".
Now choose your favorite way ;-)
Regards,
Christian Boltz
--
In Yast2-System-Editor /etc/sysconfig-Dateien inDavid, bitte wegschauen... Nein David, das hast Du nicht gesehen. Es
System-Kernel-MODULES_LOADED_ON_BOOT ide-scsi eintragen.
ist alles OK, David... Ganz ruhig... :-)
[> Arne Dieckmann und Thomas Hertweck in suse-linux]
--
To unsubscribe, e-mail: opensuse-softwaremgmt+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-softwaremgmt+help@xxxxxxxxxxxx
| < Previous | Next > |