[haiku-development] Re: Design for signed packages

From: Julian Harnath <julian.harnath@xxxxxxxxxxxxxx>
To: <haiku-development@xxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 20:46:12 +0100

Jonathan Schleifer <js-haiku-development@xxxxxxxxxxx> schrieb:
> Am 28.03.2014 um 15:46 schrieb Stephan AÃmus <superstippi@xxxxxx>:
>
> > It can't verify that the software contains no viruses or backdoors.
>
> Exactly. That was why I was against signing certificates â¦

That doesn't make sense, if software is malicious or not has nothing to
do with signing or certificates -- the siging only ensures authenticity
and integrity of a package.

Choice 1: we use the model of letting any package publisher sign with
their own key, without PKI. Whenever the system sees a key which it
hasn't seen before, it has to ask the user "Hey, I don't know this key
yet, do you trust it?". The user has to gather plenty of keys over
time, he sees that message box so often, most will just click "ok,
accept signature" regardless, as Ingo pointed out earlier. Verifying
whether a key really belongs to a source is a difficult problem too, as
already discussed, you need a secure secondary channel. For a large
amount of package sources and large amount of users, this simply doesn't
scale IMO. (It works for SSH because you usually don't have that many
known hosts, and they are usually somehow near you or under your
control).
Whether a package contains malware or not is never ensured by this
process.

Choice 2: We build a little PKI with a limited number of root CAs, e.g.
Haiku Inc as one of them (or at first, the only). Package authors get a
key signed with a CA key, which they then use to sign packages. Haiku's
PM can verify that the certificate chain is ok, users will only ever
see a "do you want to add this key?" message when adding a new CA,
which should be more rare. This, IMO, works better in practice, gives
the user much fewer annoying dialog boxes, and as long as Haiku Inc.
can keep their private key private, and doesn't hand out keys more than
once, it ensures authenticity reasonably. That X509 is complex is not
really a concern since we can use well-known and trusted libraries
which implement it.
Whether a package contains malware or not is never ensured by this
process either.

--
So long, jua

Follow-Ups:
- [haiku-development] Re: Design for signed packages
  - From: Jonathan Schleifer

References:
- [haiku-development] Re: Design for signed packages
  - From: Jonathan Schleifer

Other related posts:

» [haiku-development] Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Stephan Aßmus
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Rene Gollent
» [haiku-development] Re: Design for signed packages- François Revol
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Urias McCullough
» [haiku-development] Re: Design for signed packages- Rene Gollent
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Julian Harnath
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- waddlesplash
» [haiku-development] Re: Design for signed packages- SMC.Collins
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Fredrik Holmqvist
» [haiku-development] Re: Design for signed packages- SMC.Collins