On Fri, 16 Mar 2012 13:08:54 +0000 Ben Francis wrote: > > Surely there should be no central authority for permissions requests other > > > than the user?
I'd say that's correct but hopefully a repo type store or verified source store may come along and rather than users checking mozilla.inc and google.inc authors they could accept stores and entities. This could also extend itself to business admins of devices who say only these stores can be used without an administrative request or OK users thses stores are fine to use as you will but it would be best if you clear any others with the admins. p.s. I didn't use the word enterprise because the word just brings crap mail servers to my mind. > > > > ah - yes. but are the users technically competent to evaluate the > > safety of the code? no, they're not. they haven't got time. so > > whilst the word "permissions" is the wrong word to use, the concepts > > in this section are still kinda sound. > > > > To be honest, other than verifying that an app developer is who they say > they are and displaying this verification in the app description, I'm not > sure how feasible it is for the app store to verify that a web app (which > has a server-side component) is safe without having full access to the > entire source code of the app and checking every change that's made to that > source code. That's the only real security and what most Linux desktops currently do by default, less so Mint. (Well, if you ignore the binary blobs put into kernels that OpenBSD refuses to put in by default and for good reasons). > I could be wrong but this seems to me to be more of a > contractual issue of trust between the owner of the store store and app > developers than a technical one. Yeah but what does that actually prevent or mean to anyone, apart from violators re-registering with a new email and maybe paying a small feewhich could tie it into the banking payment identification system to raise the bar for closed source apps and that's a good feature for the masses but it's still not really any kind of security. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
