Darren Reed wrote:
On 11/09/09 02:09 PM, Shawn Walker wrote:
Darren Reed wrote:
On 11/09/09 12:37 PM, Shawn Walker wrote:
Nicolas Williams wrote:
Bottom-line: by designing without security in mind, you're likely to
screw up in ways that require that you go back to the drawing board.
Spending a little more time gathering requirements and thinking about
these related problems will reduce the likelihood that you'll have to
re-design later.
No, the bottom line is that the security aspects do not have to be
a part of the core, high-level concepts involved with a publisher,
repository, stream, etc. They are an addition to, not a
requirement of, those models.
It is severely premature to attempt to even begin to worry about
key/cert signing, etc. before an agreement on the very basic
high-level concepts used has been achieved. Please stop banging
the security drum or making wild accusations about being ignored.
The feedback requested here is not security-related; when we're
ready for that, the advice will be greatly appreciated.
To do security well requires that it be part of the initial, core,
design, not tacked on later. Thus it needs to be reviewed with the
other core components.
If you don't do it that way, then the chances of getting the
security right are greatly diminished.
I'll just have to agree to disagree. Again, we're talking about such
high level concepts that keys and certs don't even enter into the
picture IMO.
Shawn, don't you think it is odd that there are multiple people who
agree with something that you disagree about? Don't you being to
suspect that there's a slight chance that they might be agreeing with
each other for a very good reason? And that perhaps the reason they
agree is actually worth paying attention to?
There is a lot of very good evidence that "bolted on" security makes
for "bad security" and that getting it right, by design, from the
start, gives you a much higher chance of success.
Darren
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
So, not to speak for Shawn, but I think my confusion revolves around why
the idea of adding streams to the UI and making publishers (rather than
depos) the thing a user interacts with has any security implications.
Now, the discussion on manifest signing clearly has those implications,
so having a relevant discussion on that thread makes sense. Why is it here?
Brock
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
