On Saturday 07 January 2006 22:33, Anders Johansson wrote:
I have, on several occasions.
There needs to be something like a web of trust. For example, we all get suse's key through the distribution, we trust suse and we can trust that the key is valid since the best hacker in the world can't alter a read-only CD/DVD.
So the solution is to have the packager's keys signed by suse if and only if they have established that they can be trusted. Then the users only import those keys which have been signed by a trusted source.
This can be delegated so that suse's key signs some delegate key with full trust, and this delegate can then sign packagers' keys. And of course suse's key doesn't have to be the only fully trusted key, so long as the others also come from fully trusted sources on fully trusted media
This has the drawback that not just anyone at any time can build a package and upload it to a repo, but it has the huge advantage that the repos can actually be trusted without having to trust the system admin
See, and this trust model is the exact reason that PGP public key encryption is rarely used in the real world. This model _just doesn't work_ in the real world. Probably works fine in a corporate setting where compulsion and force can be used to make people comply, or between a small group of people. But it doesn't work in the real world. I don't read the source code for every piece of code I install. And I don't read/write my own compiler, either. I trust the free market of free software. I trust suse to give me a basic system. I further trust certain third party packagers like packman. For each of these, I had to take the plunge and trust them initially, and they have since proven to be worthy of my trust. For the record, I really don't trust the centralized model you propose. I much prefer the decentralized market trust model. If nobody complains your packages are bad, I will operate with the working assumption that they are aren't bad. Yes, if a repository got cracked, it could cause some issues. But really, it is normal for there to be consequences when a system gets cracked. In this case, it is a minor issue. I simply remove the damaged repository from my sources list, and reinstall any potentially damaged applications. Your "solution" doesn't actually solve anything in the real world. A distributed reputation-based system _does_, and it has several millenia of history to prove the model works... Regards, Mark