"Thomas Leonard" <[EMAIL PROTECTED]> writes: > I think you'll find the security model is rather different in Zero Instal= l. > > In particular, it should never "break" a user account, since it only > ever writes to the directories ~/.config/0install.net > and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything > else ;-).
Err, that's fair enough. My concern is rather, that code from unknown/unauthorized 3rd parties is executed, so the perfect way to inject trojan or other malware. >> Furthermore, I have some security concerns (who validates/authorizes a >> signature from one upstream). > > The user installing the software, assisted by a "hints" database of known > keys. While you can try to protect users from installing malware, at the > end of the day it *is* their computer, and they have to make the final > judgement. Where do these 'known' keys come from? Who authorizes these keys? > Please let me know if you have any other concerns. Well, in ubuntu, the archives key come from the installation media. I have the concern that it may seem that including 0install could imply that we 'authorize' other 3rd party software. I fear that we'll get bugreports from 3rd party software by users, who have installed random software via 0install, and that we will not be able to support them. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4
pgppNPFl29hPt.pgp
Description: PGP signature
-- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
