On Monday 09 January 2006 00:36, Mark A. Taff wrote:
No, the GPG model of trust is flawed because it doesn't accurately model trust in the real world. It depends on trust passing undiminished through n-degrees of separation, and no rational person thinks that way. I might trust SuSE, but I don't trust them to say that anyone else is OK.
It's not a question of suse saying someone is trustworthy. It's a question of establishing identity. People who are forced to say who they are are far less likely to do silly things
_I_ will make decisions on who to trust, not delegate that responsibility to some third, fourth, or nth party.
Except you don't. You have already said you will install packages from anyone at any time and if the packager refuses because the signature is bad you will find the gpg key on google so you can force the installation. You are a windows user in disguise
I mean, come on, just because I trust a person to write a decent program without backdoors, etc, doesn't mean I trust their judgment of others' character and intentions!
See above. That isn't the point.
Linux _is_ more secure than Windows , and for now, it is secure enough. Perfect security isn't possible any more than perfect copy protection. What is important is to make the computer harder to compromise than the value of the compromised computer.
As for your crack about windows users happily running trojans, etc, this is because they don't care if their machine is compromised, not because nobody has complained about a specific virus/spyware/trojan. If you refuse to heed the warning the market provides, it is your own fault.
The point I was trying to make was that if users of packages from a particular repo mirror don't know they are running malicious software, where will the warnings come from?
Yes, really. The reputation-based market model has been successfully handling this type of problem for millenia. Your centrally-planned model always fails outside of a controlled environment--See government licensing, see pontifications on science, see pedophiliac priests, appeal to authority, et al.
What on earth are you talking about. Pontifications (?) on science?? Pedophile priests??? Is this relevant to anything? The need to establish identity and origin is essential. How can you ever decide whom to trust if you can't even establish that the person you are being asked to trust is the originator of the package you are about to install?