El 23/02/18 a les 15:42, bill-auger ha escrit:
> On 02/23/2018 02:40 AM, Narcis Garcia wrote:
>> If a web developer publishes with scripts, those scripts should include
>> at least Name+Version and md5/hash. First time IceCat visits that
>> website, it should download script from trusted repository
> youre getting close, but who puts all these untrusted scripts into said
> trusted repository? the developer? - so by which trusted authority and
> by which process should they be evaluated, verified, and otherwise
> deemed trustworthy? should it be trusted merely because it exists in a
> user-curated central repository?
> how is that any different than getting the script directly from their
> server, hashing it, and checking against your local cache? (i think that
> is how libreJS operates) - in either case, the most that could be said
> about any script is that it is versioned and hashed and so your browser
> can indicate if it has seen it before and you can be sure that you will
> get the same script each time you request it, and that others will get
> that same script - but it is an unreasonable leap from "my browser has
> seen it before" to "it has a valid license" or "it is respecting my privacy"
> in practice, i would expect such a repository to be nothing different
> than what you find today in the package managers for nodejs, ruby,
> python, and etc; namely: a heap of un-vetted miscellania pushed there by
> *whoever* and reviewed by no one; most of which has no declared license
> at all - and keep in mind, that is what you get when developers have the
> mind to *want* their software in repositories - before you could get
> that they should publish to central repositories (not the norm) - *then*
> norm) - then perhaps in addition you might try to convince them that a
> should be sure to publish their sources along with the obfuscated
> versions so that others can actually read the code (not the norm)
Do you use some GNU/Linux distribution?
"central" and "optional" repositories work similar to this manner.
When a Trisquel user aggregates a Ubuntu repository, this user is
trusting Ubuntu packaging policy, and Trisquel package manager (Dpkg/APT
in this example) is open enough to fit any user criteria.
Although most GNU distributions are based on a package manager for the
software admittance, much software is available for GNU/Linux without
this procedure, and some users force the installation because they want.
About trusting chain, x509 have same problem, and every web browser has
integrated some solution to trust certificate issuers.
I'm not talking about a really new idea; only to apply what is already
common for other ICT areas. If Mozilla Foundation is not taking the
leadership for this solution, it's not GnuZilla's fault.