On 03/07/2014 10:33 PM, Tres Finocchiaro wrote:
>
> There is no centralized keysigning authority that we could trust.
>
> Speak for yourself please.
> This is what OCSP and CRL is for. Nearly every secure communication
> one uses to the web uses trusted certificate. Too expensive? Valid
> concern. Can't trust them? I'd argue we already do.
https certificates are not safe. SSL is not safe. NSA has access to them
and can spoof them if they want. No central signing authority can be
ultimately trusted, especially not any that is maintained inside the
USA, where the NSA can give secret court orders to any corporation and
demand them to give access to any information they need, and to keep it
all secret. NSA has been known to put backdoors into commercial,
closed-source cryptography software, again by secret court orders. NSA
has been known to spoof SSL certi
We can't trust any 3rd-party keysigner that is based in the USA. In
fact, the whole central-source-of-trust-model is outdated as its
weaknesses have been shown by recent events.
Please read https://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures
>
> We can't do anything to web browsers. Browsers have other security
> mechanisms in place - mozilla and chrome both already have
> contingencies in place for situations like that - blacklists,
> security warnings, etc.
>
> So what exactly is our problem with offering a link then?
>
The link may not work indefinitely. Some day, someone else may have that
address - particularly, since that link is dependent on a 3rd party
platform, such as Sourceforge. What if SF goes bankrupt and someone else
buys the domain? What if it's some scam artist, who notices that lots of
links still point to the site, and uses that to their advantage?
Browser security doesn't cover situations where the link is legitimately
transfered to another party. We'd have that link in that version of our
software forever, no matter if it stops working one day.
When the link is embedded in our software, the users will get the
impression that we guarantee the viability of that link. It's not a
matter of legal responsibility, it's a matter of moral responsibility -
we have the moral responsibility to offer the best possible security we
can to our users, even if we aren't legally obligated to.
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
LMMS-devel mailing list
LMMS-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lmms-devel
