[haiku-development] Re: Design for signed packages
- From: François Revol <revol@xxxxxxx>
- To: haiku-development@xxxxxxxxxxxxx
- Date: Thu, 27 Mar 2014 15:44:40 +0100
On 27/03/2014 15:11, Ari Haviv wrote:
> On Thu, Mar 27, 2014 at 8:28 AM, Jonathan Schleifer <
> js-haiku-development@xxxxxxxxxxx> wrote:
>
>> I deleted the branch now as people are clearly offended by even only
>> having the minimum level of security that even Windows offers since Windows
>> XP (optionally signed executables, optionally signed drivers, signed
>> updates) - and that was introduced 14 years ago - and prefer to repeat the
>> security disaster of Windows 98. Users wouldn't even have noticed that
>> packages are signed unless they installed a hpkg from a 3rd party without
>> using a repository, but clearly, people feel offended by even the thought
>> that there is cryptography involved that makes sure that the updates you
>> install are actually from the vendor...
>>
>> So, the branch is gone and we can drop this thread now.
>
> People will always disagree with certain changes, with extra emotional
> rhetoric to make their point (the supposedly purely rational technical
> world is full of drama; it's just not very artistic). You may also have a
> problem with someone else's idea down the road. The key is not to take it
> so personally with real and permanent consequences.
Indeed.
I didn't follow the discussion, but as for me, apart from the SecureBoot
crap which as I said is more an instrument of control from Microsoft
(actually if you really want to trust the firmware, it must also be free
software like Coreboot, not a blackbox), I'm interested in making NSA's
job harder just because their job is in most cases illegal (and with the
complicity of my own government it seems), and I believe we have the
right to privacy and we must defend it.
But I also understand that it's not a concern for many, since most
people tend to get offended by Snowden's revelation but quickly go back
to business as usual using Google, Windows or OSX and everything else,
just because it's become a commodity and they are not concerned enough
to sacrifice commodity for privacy.
Even ministers in France were asked to use "secure phones" while they
still use their Windows PC or Macs, which is just stupid.
I can't blame them much since I still use Google mostly for search
queries (although I did port Seeks but I don't use it)...
It might actually be an opportunity for Haiku if security is done in a
non-nagging way (which is the hardest part I guess, else everyone would
be using OpenBSD).
As much as I think the fight for privacy is also a duty of FLOSS
projects, I believe the activist part and the attached trolls are best
left to orgs like EFF, or La Quadrature du Net, to avoid being
distracted from the technical tasks.
As for signed packages, as was said, there are many security holes in
Haiku itself that should probably be fixed before signed package to
really be of use, but that doesn't mean they wouldn't be useful, and if
it's what you want to work on I don't see why not.
I understand the frustration that happens when everyone else disagree
with you (like, I still hope to get my Gopher branch into NetSurf
someday...)
François.
Other related posts:
