Need advice pertaining to GSoC proposal

Debayan Banerjee debayanin at gmail.com
Wed Apr 1 22:32:33 UTC 2009 

2009/4/2 James Antill <james at fedoraproject.org>:
> On Thu, 2009-04-02 at 03:09 +0530, Debayan Banerjee wrote:
>
>  Indeed, there are two steps:
>
> 1) I trust XYZ, to get packages from.
> 2) I install package Foo from XYZ.

And why do you trust this repository? How do you know this is to be
trusted? Because it came added by default in the distro. Because it
was mentioned on a Fedora website.
Its the same thing with my approach. Users trust Fedora hosted sites
and they click on these 1 click install links only if its on a Fedora
site, and hence only add official repositories.
We need the trust-vote-ranking system only for 3rd party repositories.
>
>
>  We already have a format for repository metadata, why do you want to
> use a different one?

What format we use is not an issue at all. I shall use whatever format
Fedora community is more ready to accept. It really does not matter (i
mean I can use the Fedora meta-data too).
>
>> , GPG key etc. One may
>> upload these xml files on the web and an user may click on these xml
>> files in a browser. Once downloaded the a parser parses the contents
>> of the file and automatically adds the requisite repositories and
>> downloads requisite packages for dependency preservation.
>
>  It can't do this "automatically", it still needs the user to sign off
> on the two distinct steps above.

Yes, and the openSuSE implementation in zypper does sign off on the 2
things above. I was not clear enough.
The package manager asks for the admin password, then asks if she
trusts the repository and adds the GPG key to the keyring. Then it
proceeds to download packages. I meant this all the time.
>
>> http://www.cs.ucr.edu/~dperkins/projects/pk-oci/.
>
>  This was rejected previously due to not being secure, what has changed?

On the security aspect you have the trust-vote system for 3rd party
repos, and official repos are not a problem at all.
There is the risk of users clicking these links on unknown malicious
websites. The user (assuming he is not very careful) has to be *told*
to trust only 2 things 1) Official repos 2) Trust vote ranking page
and to trust nothing else.
>
>> 2)Pluggable Policies:
>> The policy of what to allow to install will not be agreed
>>
>  We already have this, it's called GPG key management.


>
>> 3) Add voting system to Package Manager:
>> The word trust has to mean something that the end user understands, as
>> opposed to GPG keys. One way of defining trust is by votes. It is my
>> proposal that we enable a voting system at the package manager end so
>> that every time a repository is added and a package installed for the
>> first time users are asked for a "Recommend" vs "Do not recommend"
>> vote. Conversely, every time a user disables/removes a repository he
>> is asked whether he votes "Do not recommend". These votes go to a
>> centrallised server
>>
>> I was advised on the Fedora list by Patrick Barnes to use the voting
>> approach. I thought it made sense since it will keep evil people
>> (repositories) away
>> the same way wikipedia protects itself from evil people.
>> Also there may be admins, like me, who shall ban a particular
>> repository from the listings if it is found to be a malicious
>> repository. If a repo is evil, there *will* be several "do not
>> recommend" votes to it too which will attract attention.
>
>  Why do you think votes (esp. those by users) and trust are related? I
> guess it's not a _terrible_ hint, but it's surely not a good one either.
>  We don't do Fedora package reviews by having everyone vote, so I don't
> see why we'd want to do the same thing for (expandable) sets of
> packages.

Well downloading and installing packages is something any user does
and hence they have a right to vote for what they liked, like voting
for water they consume. Voting for package reviews should be done by
people who understand packaging, not by users who use them. Like
voting for the filtration process at the water treatment plant.
>
>  Given that Fedora, as a distro., don't ship rpmfusion-free-release (for
> both legal and non-legal reasons) ... why do you think they will
> maintain this list?

To help users remain safe. To make users aware. And Fedora is not
recommending any repository at all. Its the users recommending it to
other users (reminds me of p2p). Fedora just hosts that opinion,
nothing else.
>
-- 
Be Intelligent, Use GNU/Linux

http://debayanin.googlepages.com/
http://debayan.wordpress.com
http://lug.nitdgp.ac.in

More information about the devel mailing list