PackageKit Misconceptions

Owen Taylor otaylor at redhat.com
Wed Aug 22 18:47:37 UTC 2007


On 8/22/07, Jesse Keating <jkeating at redhat.com> wrote:
> On Wed, 22 Aug 2007 14:02:47 -0400
> David Zeuthen <davidz at redhat.com> wrote:
>
> > To me, that's totally not what Colin is suggesting. In fact, there are
> > things in his mail that actually suggests to *improve* security such
> > as replacing, IMO, useless dialogs like "Import this GPG key:
> > <hexnumber>" to something more useful (his proposal about timeouts).
> > See also my other mail about asking better questions like "Import
> > this GPG key: <hexnumber>".
>
> I got from it that he just wants to do away with the question
> entirely.  I'm having a hard time figuring out where you guys want to
> go.  In one hand you say you don't want dialogs at all that ask people
> to think or even respond, it just does things.  On the other you say as
> soon as you allow installing software that is outside of the repos we
> ship, the jig is up and we shouldn't care about any sort of security
> form that point on.  I'm lost :(

You are missing the fact that the action we take without asking the
user doesn't have to be "accept" it can be "deny". And "deny" doesn't
mean that "we're taking capabilities away from the user", it means
"people are forced to think about how this really should have worked".
Asking the user is usually a cop-out for bad design and laziness.

For example, imagine that we enhance our system so that so anyone can
have a one click link on their website to add their GPG key and yum
repository, and we've done the work so:

 A) The information displayed to the user has been audited to be accurate
 B) We provide some sort of reputation system displayed right along
with the question so that you have a basis for an informed decision
 C) We check that you are downloading the information over a secure channel

Then Livna can put such a link on their web site along with
instructions. And it works out vastly better rather than asking
someone if they like a hex string or not.

- Owen




More information about the desktop mailing list