-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 W dniu 06.02.2013 20:00, Lennart Regebro pisze: > On Wed, Feb 6, 2013 at 6:20 PM, Zygmunt Krynicki > <zygmunt.kryni...@canonical.com> wrote: >> You would first download django (either signed or not) and get >> prompted if you want to trust the signer for that project (or if >> the file was not signed, to trust this particular file for django >> in the future). > > Getting a lot of questions that you have no choice but to ask "yes" > to is not really an increase in security. This doesn't in practice > increase security against people writing "bad" software in one > sense or another. It does increase the security against > man-in-the-middle attacks, but we can get that without having to > ask yes for every package we download. (have you any idea how many > packages are in Plone? ;-)) The warnings that signatures and keys > have changed would be enough for that.
That is a one time operation. Still, I agree it's tedious and some users might just blindly do "next" unless we can pre-seed the system with trust somehow (and that's not something I think is possible). I suspect that a middle ground _can_ be reached, where users would be protected from some popular and easy attacks while some group of users could choose into the more strict trust-based security. >> I realize this interface is not perfect > > Nothing is perfect! :-) > >> but it solves practically all of the current issues. Most >> importantly it can be applied to all existing software today, so >> we get the benefits without asking everyone to fix their story. > > I don't see how it solves the current issues unless everyone signs > their packages, which is asking people to fix their story. Sorry, you are right. My example assumed you were familiar with what I'm doing with distrust (https://github.com/zyga/distrust) where it works just as well for current unsigned software. Thanks ZK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRErRGAAoJECiU6TooxntHdr0QAKy3sCM17Frcb5ARJSoPuCZs 9gH61bQk7XCDjchBGFLqnXWmrpksnBXqXACPsoCdyldy/wH7y0YoGysJgaKd0j0t ttHKZFXUYGEkcVaGVxOFKL/UDRm+kSrkwAyw3c0WFgW9eeymrwaJ9//6dnfiVEPy aDuJ7YVEFsUBQu+x6BuzFIFhgBWpsJC+U7z1p1A3Wq26RazxRtY6stjzWGXNtJZI o91QqypK2BwX8P4+CQuJbHOqlcmBZGNJDaeJ/eYDb7SoaDNUiv9vALl3PTOsALAC RHkJtlo8RL33yUth3bTBcU741yDJyBdhwh/DKEn/ntPeYS0qlHItkYkQFTINrG3Z Cbm/MFgPmVK3IEWalwS9NFpzKdC7I5CXefsHT4whMnd/sYNz1qR9sbobkt173FkJ faE52++ULA4tIjrf2c9tJQifx0mjGNWEOMivOkBQo/lVRIxUvUDXaNnXlzeboRvb /tf1KseId3hAvi/3Aut9k4deSLUwvgaAFxolTx+m9F8oObsVOvS3i984Mr+5AC6A q8W5UU+0Iyb0DwBeOLa3vJ9TOaEG1gpE/9YA0t1cPRMFnBJ4Ld4Mso9nilGkvLur pehWTm4v5mLRnJIH9Me2p5bI70FDhX5cXpXLjjfkD/DY1+/smyncqcYTQR/4d/Px 9nV1Y3YmsMa1XsD9Yjtp =HRFn -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
