Jonathan Schleifer <js-haiku-development@xxxxxxxxxxx> schrieb: > Am 28.03.2014 um 15:46 schrieb Stephan AÃmus <superstippi@xxxxxx>: > > > It can't verify that the software contains no viruses or backdoors. > > Exactly. That was why I was against signing certificates ⦠That doesn't make sense, if software is malicious or not has nothing to do with signing or certificates -- the siging only ensures authenticity and integrity of a package. Choice 1: we use the model of letting any package publisher sign with their own key, without PKI. Whenever the system sees a key which it hasn't seen before, it has to ask the user "Hey, I don't know this key yet, do you trust it?". The user has to gather plenty of keys over time, he sees that message box so often, most will just click "ok, accept signature" regardless, as Ingo pointed out earlier. Verifying whether a key really belongs to a source is a difficult problem too, as already discussed, you need a secure secondary channel. For a large amount of package sources and large amount of users, this simply doesn't scale IMO. (It works for SSH because you usually don't have that many known hosts, and they are usually somehow near you or under your control). Whether a package contains malware or not is never ensured by this process. Choice 2: We build a little PKI with a limited number of root CAs, e.g. Haiku Inc as one of them (or at first, the only). Package authors get a key signed with a CA key, which they then use to sign packages. Haiku's PM can verify that the certificate chain is ok, users will only ever see a "do you want to add this key?" message when adding a new CA, which should be more rare. This, IMO, works better in practice, gives the user much fewer annoying dialog boxes, and as long as Haiku Inc. can keep their private key private, and doesn't hand out keys more than once, it ensures authenticity reasonably. That X509 is complex is not really a concern since we can use well-known and trusted libraries which implement it. Whether a package contains malware or not is never ensured by this process either. -- So long, jua